Protection without protection
What is a person? From a legal point of view, this is a subject of law with characteristics that allow him to be identified: gender, date, place of birth, passport number, place of registration. This is all personal data that has a certain value for merchants (because a person still has value as a consumer), creditors (in order to search for your assets), fraudsters (in order to get money from you). Accordingly, the State is trying to protect our personal data (PD) from illegal use. Administrative fines from July 1, 2017 increased significantly. So, officials can be fined in the amount of from 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles.
There is still criminal liability:
- for the illegal collection or dissemination of information about the private life of a person constituting his personal and family secret without his consent (part 1 of article 137 of the Criminal Code of the Russian Federation) - from fines up to 200,000 rubles. Before imprisonment for a term of two to four years.
- unauthorized access to computer information, which resulted in the destruction, blocking, modification (change) or copying of information (part 1 of article 272 of the Criminal Code of the Russian Federation);
The above acts are punishable by fines of up to 200,000 rubles or imprisonment for a term of two to four years. Of course, protection includes not only the adoption of certain legal rules providing for liability. An important factor is how the state actually applies these standards. An indicator of how serious government protection is is the cost of services related to overcoming a particular legal barrier. They ask a lot, it means a serious barrier, the costs of overcoming it are large. Little is asked, which means the state itself is not particularly concerned about compliance with these laws.
So how effective is the protection of our personal data? Judge for yourself. At the end of last year, DeviceLock (one of the leading manufacturers of DLP systems in the Russian Federation) conducted a study of the Russian black market for personal data and related criminal services. In the course of the study, the proposals posted on the resources of Darknet (“shadow Internet” accessible through the TOR browser) were collected and analyzed.
- the cost of personal data without scans of documents has not changed much compared to the beginning of 2018, the cost of scans of documents has decreased, on average, by 25%, and the cost of the “punch” service (not legal provision of personal data), on the contrary, has grown in different segments from 25% up to 400%.
- databases of personal data in EXCEL format by region containing name, gender, telephone, full passport data, SNILS, registration and residence address for 2017-2018. 20-25 kopecks are sold per record. Compared to the beginning of 2018, prices have not changed. A passport scan with a photo of the passport holder with a passport is offered at a price of 150 rubles per set, and a set consisting of passport scans, SNILS, rights and TIN - “push” the price from 300 rubles. What is noteworthy, it was in this area that prices fell markedly, by about 25%, and the number of offers increased markedly (all according to market laws).
The services of “punching” human data among mobile operators has grown by no less than 25%. Detailed call and SMS subscriber per month is offered at a price of 2,000 rubles to 20,000 rubles. Price increases of about 50%. In this area, the widest choice of both the data itself and its sellers: everything is offered, from all kinds of extracts to continuous monitoring of the subscriber's location.
Services to “break through” banking information have also increased significantly in price (at least 50% per year). The availability of “services” is highly dependent on the region of the Russian Federation. Get a statement of the bank's customer account (from the Top 10) offer starting from 8,000 rubles per month / 10,000 rubles for six months. In this area, a lot of intermediaries are struggling, offering an initial price 4 times higher than the real one. Moreover, the cost of these "services", the list of banks where this can be done is changing very quickly. Apparently there is a human factor.
Based on the study, DeviceLock draws the following conclusions:
- The value of PD without scans of documents is quite low, this is due to the fact that such PD is used as a rule for spam or telephone fraud, which in principle does not bring serious income. Scans of documents are used to obtain online loans, fictitious transactions and therefore have an increased demand for scammers.
- One of the large channels for leakage of document scans is microfinance organizations (MFIs). Moreover, the share of leaks from MFIs is constantly increasing. For example, over the past quarter, the share of MFIs increased from 3% to 5% in the total number of cases associated with data leaks.
- PD offers on the black market not only did not decrease, on the contrary, their number visibly increased. Prices for almost all types of PD have risen. Particularly noticeable increased prices for "breaking" in banks.
I think the state has something to work on.