Published DevOps service files from Sberbank employee
Leaks from Sberbank continue. This time, the open-access files of the DevOps department appeared, which show how Sberbank checks the performance of its own systems, Kommersant reports . Experts believe that these files leaked simultaneously with the address book of employees.
It should be reminded that in October 2018 on a hacker forum posted file login.csv.zip . This is an archive with a 47 megabyte spreadsheet login.csv. Fields in the database:
Surface authentication confirmed the authenticity of the database. In particular, there are three correct e-mail addresses of the president of the bank, German Gref. The authenticity of the database was confirmed by one of the employees of Sberbank and a representative of a third-party organization related to the information security of the bank.
By law, only the full name is not considered personal data, so the leakage of only this information cannot be considered a consequence of inadequate protection of personal data. Another thing, if in conjunction with the name there will be other information to identify users. How to classify the address book of employees of Sberbank, indicating the login and place of work (up to the department), the court can decide, lawyers differ opinions.
New files are official documents that relate to the integration of software development and operation processes (DevOps), explained Zecurion CEO Alexei Raevsky. Colleagues from the banking sector have added that this is a draft of a project on a specific Sberbank system, with an obviously unfinished work.
Experts agree that there was no information theft, namely the careless actions of an employee who, wanting to work at home, sent work files to his home mail.
“The ability to send restricted access information to an external address may indicate a low information security culture in a particular company, as well as a lack of quality protection against leaks,” said Alexei Raevsky. The files show which systems the bank uses and how their health is checked. Information may have value for a narrow circle of intruders, since it indicates certain system vulnerabilities that can be used when attempting to break into.
“The archive contains working technical documentation, the exchange of which is possible, including with contractors, via the Internet to perform production tasks,” the bank’s press service said.
It should be reminded that in October 2018 on a hacker forum posted file login.csv.zip . This is an archive with a 47 megabyte spreadsheet login.csv. Fields in the database:
- Full name
- Login in the internal system (same as email address)
Surface authentication confirmed the authenticity of the database. In particular, there are three correct e-mail addresses of the president of the bank, German Gref. The authenticity of the database was confirmed by one of the employees of Sberbank and a representative of a third-party organization related to the information security of the bank.
By law, only the full name is not considered personal data, so the leakage of only this information cannot be considered a consequence of inadequate protection of personal data. Another thing, if in conjunction with the name there will be other information to identify users. How to classify the address book of employees of Sberbank, indicating the login and place of work (up to the department), the court can decide, lawyers differ opinions.
New files are official documents that relate to the integration of software development and operation processes (DevOps), explained Zecurion CEO Alexei Raevsky. Colleagues from the banking sector have added that this is a draft of a project on a specific Sberbank system, with an obviously unfinished work.
Experts agree that there was no information theft, namely the careless actions of an employee who, wanting to work at home, sent work files to his home mail.
“The ability to send restricted access information to an external address may indicate a low information security culture in a particular company, as well as a lack of quality protection against leaks,” said Alexei Raevsky. The files show which systems the bank uses and how their health is checked. Information may have value for a narrow circle of intruders, since it indicates certain system vulnerabilities that can be used when attempting to break into.
“The archive contains working technical documentation, the exchange of which is possible, including with contractors, via the Internet to perform production tasks,” the bank’s press service said.