Is Russia punished for illegal trade in personal data?
Probably, the whole Habr already knows that our personal data has long and successfully become the object of legal and illegal trade. About the banking information market, data of mobile operators and government agencies, I wrote here in the article: " Analysis of the black market prices for personal data and breaking through ."
We are not going to talk about the so-called legitimate part of this business now, we’ll talk about its illegal side and try to figure out how to stop this activity and whether to stop it at all.
In this article I’ll talk about who and how in Russia they catch for the illegal trade in data. Only real cases, no theory!
Judging by the huge number of proposals for “breaking through” on the black market, it may seem that the state and private companies - personal data operators (banks, mobile operators, etc.) simply have avoided solving this problem.
However, there are cases when Persian sellers are caught and even judged. True, it is worth noting that, as a rule, they catch direct executors of orders, i.e. employees of organizations with access to information by virtue of their duties. But intermediaries, actively hiring such unreliable employees of banks, telecom operators, government agencies, and then reselling citizens' data on the black market, often remain in the background and evade punishment.
I made a selection for the year of all cases of detention and conviction of persons in one way or another connected with the trade in personal data about which the media wrote and which took place in my channel “ Information leaks ”. There were not so many of them, but what are they rich in ...
February 2018
The case of four residents of Penza, arrested for selling personal data of subscribers of mobile operators, was sent to the court. According to the investigation, in October 2016, the 26-year-old resident of Penza and his 27-year-old acquaintance decided to find insiders with access to two mobile operators who, for a fee, will copy the personal data of subscribers and information about their telephone conversations. The accomplices managed to agree with two 20-year-old girls who worked in the salons of mobile operators. On the Internet, specialized forums posted an advertisement for the sale of personal data of subscribers and information about calls. From December 2016 to the end of March 2017, 17 orders were received, each costing from 500 to 4,000 rubles.
March
The prosecutor's office of the Nizhny Novgorod region reports that, according to the investigation, the 30-year-old operative of the criminal investigation department of the Russian Ministry of Internal Affairs in the Bogorodsky district in 2015 organized an illegal transfer of information from departmental data banks of the Ministry of Internal Affairs for a fee. In 2016, he attracted to this and his younger brother, who also held the position of detective of the criminal investigation department. Attackers systematically used access to the databases of the Ministry of Internal Affairs of Russia to receive and transmit official information via the Internet to an indefinite number of people. This criminal activity lasted more than a year. It is noted that in this way men received an income of over 700 thousand rubles.
In the Lipetsk region, three criminal cases were brought against a bank employee at once. The financial consultant of the local office of a well-known bank illegally used personal data of clients about accounts and deposits. During the audit, it turned out that the bank employee used the personal data of clients to steal money from their accounts and deposits. I only note that there was a theft of funds from customer accounts, and not data trading, which is probably why the bank decided to submit an application to the Ministry of Internal Affairs. I do not know of other public cases when banks officially investigate illegal access to customer information.
Two former detectives from Bogorodsk (Nizhny Novgorod Region) received a suspended sentence of 1.5 years each for using personal data from the Ministry of Internal Affairs database. During the investigation, the circumstances of the receipt by the police of 800 thousand rubles from citizens from more than 20 constituent entities of the Russian Federation were established. Most of the personal data transmitted is associated with verification of information about the owners of motor vehicles.
April
The 33-year-old ex-investigator of one of the Moscow regional police departments, having quit the law enforcement agencies of his own free will, decided to make money trading data on private telephone conversations. Having obtained a fake seal of the Meshchansky District Court of Moscow, in two years he managed to draw up about 300 fake court decisions on the provision of details of telephone conversations, as well as information about the subscribers themselves from the main cellular operators. The cost of one order for detailing and subscriber data ranged from 45 thousand to 100 thousand rubles, while the most ex-investigator got 10-15 thousand rubles. The remaining money was distributed between intermediaries, with whom the ex-investigator mainly talked with the help of instant messengers.
In Saratov, based on the results of the prosecutor’s inspection, a criminal case was opened against the official. It was established that from March to December 2016, the assistant of the operational on-duty department of internal affairs in the city of Saratov, who had access to information about incidents and crimes that occurred in the city of Saratov, systematically transmitted information about the deaths of citizens to an individual entrepreneur who carried out ritual activities services.
They caught the former head of one of the units of the Committee for the Management of City Property and Land Resources of the administration of Nizhny Novgorod. For a bribe of 1.2 million rubles, the 36-year-old head of the department agreed to transmit any information of limited access during the year, including personal data of citizens contained in information systems for registering real estate and land. In confirmation of his readiness for “cooperation”, the official handed over a USB-drive with part of the requested data. In December, the court sentenced the former boss to 8 years in prison with a strict regime sentence and a fine of 3.6 million rubles, according to the article for bribery. In addition, for 5 years he will not be able to occupy certain positions.
May
In Voronezh, a former employee of a cellular company was accused of illegal surveillance of phone calls. She is charged with violation of Part 2 of Article 138 of the Criminal Code of the Russian Federation (violation of the secrecy of correspondence, telephone conversations and other messages of citizens committed by a person using his official position). Investigators found that from November 30, 2017 to February 22, 2018, an employee of a cellular company, while at the workplace, illegally looked at details of telephone connections.
June
In Mordovia, employees of mobile companies that traded personal data received a suspended sentence. Anatoly Panishev, 27-year-old contact center operator of T2Mobile LLC, received 1 year 7 months, and 24-year-old specialist of PJSC Vimpelcom Anna Sineva - 1 year 4 months. The investigation established that in February 2017 Sineva, a former employee of T 2 Mobile LLC (Saransk), contacted Panishev using Telegram with a proposal to send her photos with passport data, phone numbers that she provided on WhatsApp and Telegram. She promised to pay 200 rubles for one phone number. According to some reports, Sineva resold personal data on the Internet at 500 rubles. In the period from February to April 2017, Panishev, through the Invoice computer program, copied the personal data of subscribers, including last names, first names,
September
The former deputy chief of the police department No. 1 of the Severnoye OMVD of Russia for the Nakhimovsky District in Sevastopol received three years in prison for selling data on the death of people to employees of the ritual firm. Alexander Baranovsky was found guilty of receiving bribes from the owner of the ritual firm. For several years he transmitted information about the facts of the death of citizens and the data of their relatives.
October
The FSB detained a Russian border guard who probably sold information on foreign trips of Alexander Petrov and Ruslan Boshirov, accused of poisoning GRU colonel Sergei Skripal. The border guard worked in the Northwestern Federal District. An employee of one of the units of the Federal Tax Service (FTS) was detained with him. The detentions took place as part of a special operation to prevent leaks from closed databases. By the way, this special operation pretty much crippled the black market of “state breakdown” for some time.
November
In Kaliningrad, a 25-year-old manager of a mobile phone salon was detained for selling personal data of a client. An unknown man turned to the manager and asked for a fee to provide data to a specific subscriber. The case was instituted under part 3 of Article 272 of the Criminal Code of the Russian Federation (unlawful access to computer information). The maximum penalty is imprisonment for up to five years.
The Tomsk court sentenced to three years of probation the former local police, who for the financial reward informed the ritual bureau employee the personal data of the deceased. “It was established that between December 27, 2017 and April 3, 2018, the defendant, being a local police department of the Ministry of Internal Affairs of Russia in the Tomsk Region, received a bribe in the form of money for a total amount of 21 thousand rubles for the illegal provision of confidential information of the deceased to a person acting in the interests of a commercial organization providing funeral services. These data were further used to ensure conclusion of funeral services contracts with relatives of deceased citizens. ”
December
The Investigative Department of the Investigative Committee for the Novosibirsk Region has opened a criminal case on the illegal transfer of information constituting a trade secret in relation to an employee of the Russian Telephone Company. On November 20 of last year, the suspect logged into the system using her working login and password and copied information containing information about the date and time of connections, numbers of outgoing and incoming connections of the MTS mobile subscriber, and then transferred this data to third parties. A criminal case has been instituted against the suspect under Part 2 of Article 183 of the Criminal Code of the Russian Federation (illegal transfer to third parties of information constituting a commercial secret). The employee faces up to three years in prison.
The prosecutor's office of the Leninsky district of Magnitogorsk sent a criminal case to the court against the former head of the city administration of the pension fund, accused of receiving a bribe and abuse of authority. In 2017, a woman handed over to the employee of a commercial bank the personal data of citizens who were illegally used in the official activities of a credit institution. For this, the head of the pension fund received a bribe of 61.4 thousand rubles. This money was transferred to her daughter's bank account under the guise of providing financial assistance from the employer.
The Domodedovo City Court of the Moscow Region convicted a police officer of corruption crimes and sentenced him to four years and six months in prison. In addition, the convict was fined 600 thousand rubles. The court found that the policeman repeatedly received bribes in the amount of up to 15 thousand rubles for several months. through an intermediary for the provision of forms of migration cards and personal data of foreigners from an automated database.
January 2019
In Murom, a criminal investigation has been completed against a former employee of the mobile phone salon, who was charged under part 2 of article 138 of the Criminal Code (violation of the secrecy of telephone conversations), part 3 of article 272 of the Criminal Code of the Russian Federation (unlawful access to computer information protected by law) and part 3 of article 183 of the Criminal Code (illegal receipt of information constituting a trade secret). In January 2017, a 23-year-old former employee of the mobile phone salon repeatedly faked statements on behalf of clients to receive information about connections, and when receiving data, he copied them to removable media. On behalf of clients, he sent 43 service requests for receiving subscriber details - some of the requests were satisfied. Such activity alerted the security staff of the telephone company - the employee was identified, after which he was fired, and the materials were transferred to the investigating authorities. The criminal case with the approved indictment was sent to court. In accordance with the law, the accused faces up to 5 years in prison.
In Perm, a former police officer is accused of abuse of power (part 1 of article 285 of the Criminal Code of the Russian Federation) and petty bribery (part 1 of article 291.2 of the Criminal Code of the Russian Federation). In 2017, she had access to information from banks that contained personal data of customers. Without the knowledge of the citizens themselves and the relevant requests of the competent authorities, she provided this data to the director of the commercial organization. For this information, the former police officer received a reward - from 100 to 500 rubles. After the cases of bribery were uncovered, the woman was fired from the internal affairs bodies. The criminal case has been completed, the case file has been submitted to court.
An employee of the mobile operator Megafon in St. Petersburg was accused of committing a crime, part 2 of article 138 of the Criminal Code (violation of confidentiality of correspondence, telephone conversations, postal, telegraphic or other messages). The court found that the defendant was in the position of an engineer for the development of corporate data warehouse reporting and had an obligation to preserve company confidential information. Using his official position, having access to the data of billing systems, he gained access to the confidential information of the victim and transferred this information to unidentified persons. Given the position of the state prosecution, the absence of objections from the victim, the investigator’s request was granted, the defendant was fined 100 thousand rubles.
February
In Novosibirsk, a court sentenced two former MTS employees who stole a database of subscribers of Novosibirsk, Barnaul, Novokuznetsk and Berdsk. At the time of the theft, one of the attackers had already quit MTS, and the second continued to work as a leading supervisor. The theft was committed on July 18, 2018. Two attackers freely entered the office and entered the office with a computer that had access to the corporate network. One of them asked for a login and password from his superiors. They tried to send the downloaded database to their personal mail in the form of an archive file, but because of the large size, they could not do it. Then the archive was divided into several parts and again sent to the post office. In total, the stolen database contained data of 506,185 subscribers, containing: surnames, first names, patronymics, phone numbers and addresses. During the preliminary investigation, the attackers admitted that they tried to sell each subscriber’s data for one ruble per record, thus earning more than 500 thousand rubles. On February 26, 2019, the court found Nikita Chernitsov and Vitaly Ivanov guilty under Article 183 of the Criminal Code of the Russian Federation “Collection of information constituting a trade secret that caused major damage or committed out of mercenary interest”. Chernitsov was sentenced to 1 year 6 months probation with a similar probationary period, and Ivanov was given three months less.
In Tomsk, a verdict was handed down to a former district police officer who received a bribe for providing information about deceased citizens in the interests of a ritual firm. The court found that from January 2 to June 18, 2018, the defendant, while working as a precinct, received a bribe of 42 thousand rubles for illegally providing confidential information about the personal data of deceased citizens to a person acting in the interests of a commercial organization providing funeral services . These data were subsequently intended to ensure conclusion of contracts for the provision of funeral services with relatives of deceased citizens. The court sentenced the defendant to three and a half years imprisonment with a probation period of three years. He was also deprived of the right to occupy positions in the system of law enforcement bodies of the Russian Federation for two years.
A court in Novosibirsk found the head of the ritual agency guilty of giving bribes. A 41-year-old man was sentenced to seven years in prison on probation with a trial period of three years. The businessman bribed police officers to obtain information about the personal data of the deceased in Novosibirsk, namely their surname, name, patronymic, date of birth and death, as well as location.
March
In the Voronezh region, the court will consider the case of the 38-year-old head of the department of PJSC IC Rosgostrah, who illegally copied a customer database in July 2018. According to the investigation, the woman, having access to the customer database, copied herself their personal data, contacts and information on the cost of insurance services. She used corporate email to send data to herself. A criminal case was instituted under Part 3 of Art. 272 of the Criminal Code (unlawful access to computer-protected information by law, if this act entailed the copying of computer information). The maximum sanction is imprisonment for 4 years.