Due to legislative gaps, information on passports and SNILS was in the public domain
Electronic sites put unencrypted personal data of auction participants in the public domain. Because of this, more than 2.2 million records are publicly available, including SNILS numbers, passports and information about employment.
How were the numbers of passports and SNILS found in the public domain?
At least 2.24 million entries with passport data, SNILS numbers and information about the employment of Russians are in the public domain. This was discovered by Ivan Begtin, chairman of the Association of Data Markets Participants; his research “Personal data leaks from open sources. RBC has electronic trading platforms.
The study analyzed the information of the largest Russian electronic trading platforms where commercial purchases and government purchases are placed under federal laws 44-FZ and 223-FZ, namely: the purchasing module ZakazRF (562 thousand entries), RTS-tender (550 thousand. records), Roseltorg (468 thousand records), National Electronic Platform (142 thousand records), ETP AHRF (18 thousand records) and Sberbank AST (500 thousand records). On all sites, you can find the personal information of auction participants.
Calling the appearance of this information a leak can only be a stretch, Begtin clarified in a conversation with RBC. “This is the initial accessibility due to errors in legislation and ignorance of the developers [of the sites],” he said.
Promotional video:
How is passport data leaked?
Begtin gave an algorithm for obtaining personal data from each of the mentioned sites. All of them were working on the RBC material by the time work began. After RBC addressed the representatives of Sberbank AST, the system closed the ability to download data.
The mechanism for downloading documents with personal data at all of the listed sites is the same. In most cases, the data could be found (as RBC was convinced of) in the decisions stored there on the approval of open auctions. Some of them also contain e-mail addresses, SNILS numbers and information about the employment of auction participants.
Why is the data in the public domain?
The reason why personal data is posted on electronic platforms is that decisions to approve large transactions in most cases contain information about those who approved this transaction, as well as about their representatives.
The representative of RTS-Tender told RBC that according to the law, for the accreditation of participants on the electronic platform, a certain list of documents must be transferred - his company uploaded it to the website. Nikolai Andreev, General Director of Sberbank AST, told RBC that according to the approved procedure, the register of participants contains information about the name of the organization, OGRN, TIN, as well as the start and end date of accreditation. In the open register of procurement participants, which all operators of electronic platforms are required to maintain in accordance with the norms of 44-FZ, sometimes personal data can be found, noted the press service of Roseltorg. However, all information and documents displayed in the register are prepared by the bidders themselves, and the operators of electronic platforms are obliged to publish them unchanged, the company representative explained.
According to Begtin, the problem lies in two big gaps in the legislation. “The first is the requirement to publish publicly available decisions on the approval of major transactions, which, according to Russian practice, often include the passport data of the founders,” he explained. The second is in the practice of using a qualified electronic signature for the publication of documents by customers and suppliers. "The signature attached to such a file contains the same metadata as the electronic signature - full name, e-mail, SNILS," Begtin told RBC.
Does the open placement of passport data violate the law?
The processing of personal data of bidders requires their consent and is regulated by the law "On Personal Data", said Andrey Arsentiev, analyst at InfoWatch Group. “Of course, having personal data in an open environment is a violation. Apparently, electronic trading platforms do not always pay enough attention to protecting the data of trading participants, since there is no strict liability for violations,”he explained.
Disclosure of passport data may fall under Art. 137 of the Criminal Code (criminal liability for violation of privacy), says Konstantin Bochkarev, an advisor to the law firm CMS. He cites an example from judicial practice, when the Moscow City Court recognized a telephone number as a personal or family secret. When publishing such information, Art. 13.11 of the Administrative Code of the Russian Federation (violation of the legislation of the Russian Federation in the field of personal data), the lawyer claims.
What if you find out about your data breach?
According to lawyers, an individual who has discovered a leak of his data can go to court for damages. However, if there is no evidence of the fact of material losses, it will be difficult to obtain compensation, Bochkarev is convinced. “For an ordinary citizen who cannot afford a long and costly lawsuit, the most effective way is to go directly to the site where the data is published and ask them to be removed,” he said.
In addition, Roskomnadzor has the right to fine the electronic site upon reporting in the press about a personal data leak, even without complaints from individuals. “In this case, the data will also be quickly deleted,” Bochkarev added. He noted that such "negligence" threatens reputational risks for electronic platforms.
Recent data breach scandals
In early April, a database of ambulance patients of several cities near Moscow was posted on the Internet. From it you can find out the names, addresses and phone numbers, as well as the state of health of those who see the doctors. The Investigative Committee began to check on this matter.
Facebook has been accused of large-scale personal information leaks several times. The last time this happened in April, when the data was publicly available on other platforms and in Amazon cloud storage. Prior to this, representatives of the social network discovered that the passwords of a number of Facebook users were stored on its servers in unencrypted form - in plain text. It was reported that inappropriate storage of information was revealed during a routine security check in January; it affected "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."
Authors: Evgeniya Kuznetsova, Evgeniya Balenko
Featuring: Mikhail Nesterkin