What happened to Russian Post
The instigators of the data leaks of the GeekBrains educational center, the Delivery Club delivery service, the Skolkovo business school, and others released information about Russian Post shipments on July 29.
“The posted sample contains exactly 10 million lines containing the tracking number (track number of the shipment), full name or company name of the sender / recipient, the recipient’s phone number (about 4 million numbers of Russians in total. – Ed.), city / index of the sender / recipient, weight /departure status, date/time of departure,” said the Telegram channel of Data Leakage & Breach Intelligence.
Russian Post confirms partial leak. According to the operator, hackers attacked the contractor, because of which “a piece of data really fell into the hands of hackers.” The press service of the Russian Post stressed that the attack would not harm customers, since banking information was not made public.
Roskomnadzor asked the company for information about the incident, but on July 1 it turned out that the agency had no authority to investigate personal data leaks. The reason is a moratorium on business inspections, which is valid until the end of the year. Because of this, the RKN is not even entitled to request materials about leaks.
While the State Duma is dealing with the exclusion of personal data operators from the list of “untouchables”, users should take care of the safety of online shopping on their own. The Russian Post data leak is by no means the first; earlier, information from customers of CDEK, Avito, Wildberries and many other services was made public on the Web.
Data in exchange for shopping
– Any online store, of course, is interested in getting as much real data as possible about their customers. This helps him make the right offers for a person, predict his consumer behavior and, accordingly, increase sales, – says Konstantin Stepanov, CEO of the Russian IT company HFLabs, which works with massive client databases.
The most valuable data for sellers is contact, adds the interlocutor of Izvestia. From a practical point of view it is impossible to do without specifying the real address – in case of delivery of goods by the same Russian Post or other courier service. Without it, it will not be possible to calculate the cost of this delivery.
“The buyer provides his registration data (including personal), including, but not limited to: full name, phone number, email address, location address, gender, date of birth, information about the parameters of the figure (clothes size), details of electronic means of payment (number, expiration date, CVV / CVC code), etc., ”the Wildberries rules say.
When registering, the buyer automatically agrees that he provided information about himself voluntarily and for an unlimited period. Until the client has withdrawn it (and for this you need to write a special application), any such site has the right to store this data, use it for advertising and transfer it to persons, the list of which is indicated in the user agreements.
The path of incognito
But whether the buyer is obliged to indicate real data about himself – in particular, the name – the rules do not stipulate. Using a pseudonym is one way to protect personal information, advisers on the Web say.
— As a rule, most marketplaces do not require full name verification. At the same time, when placing orders, a bank card containing the full name of the owner is indicated, – says Denis Frolov, a member of the Bar Association of the Moscow Region.
According to Pavel Korostelev, head of the product promotion department of the Security Code company, using a nickname only makes sense if you want to trace from which source the data was leaked. “This method will not help prevent the theft of personal information,” he emphasizes.
Moreover, it is against the law. It allows the use of fictitious names by journalists, authors of works of art, subscribers of telecom operators, as well as courts and law enforcement agencies – to hide the identity of the participants in the case and as part of the criminal process, explains Maria Spiridonova, a member of the Russian Bar Association.
In this case, people use “personally identifying data”, without which, in particular, in an unsuccessful scenario, it is impossible to defend their rights in court.
Stop before payment
Another way to reduce risks is to have a separate email box for purchases. This is convenient, since there is no need to “shine” your main email everywhere, to which, for example, accounts in social networks or on “Gosuslugi” can be linked., notes Konstantin Stepanov. Apple, for example, does provide a service for hiding the mailbox.
“Some people are even setting up dedicated phone numbers for shopping — it’s likely that after a while we will see a surge in interest in temporary mobile numbers,” the expert adds.
This approach, however, has a downside. Fictitious email and other data prevent the online store from fighting unscrupulous buyers. Sellers, in particular, lose money on customers who constantly place large orders and do not redeem them, explains Konstantin Stepanov. They can also cause trouble for other users: while a lover of wholesale orders sweeps away the assortment of the marketplace, the product you love disappears from stock, and then often returns to the warehouse spoiled.
At the same time, Pavel Korostelev from the “Security Code” emphasizes: yes, it is advisable to use separate cards, and electronic boxes, and phone numbers. But there is a nuance: “You need to understand – they are reactive measures that protect not from a leak, but from its consequences.”
In the case of unverified online stores, you should immediately pay attention to the form of payment. Valery Stepanov, commercial director of BSS-Safety, explains that for each purchase it must be generated individually.
“User data must be reliably protected from intruders and transmitted to the acquiring bank in encrypted form using the TLS (Transport Layer Security) cryptographic protocol,” explains the source of Izvestia.
In addition, payment security must be confirmed by the PCI DSS (Payment Card Industry Data Security Standard) security certificate. “An important link in the process is the 3D Secure technology, which provides confirmation of the operation using a code from an SMS that is sent to the number linked to the buyer’s card,” adds Valery Stepanov.
On July 14, Russian President Vladimir Putin signed a law that is designed to strengthen the protection of personal data of Russians. Now their operators are required to notify the responsible authorities of leaks without delay. In the spring, amendments were approved that prohibit sellers from asking customers for excessive information. For violators, it is planned to introduce fines ranging from 5,000 to 50,000 rubles.
In rare cases, stores may require additional information – for example, when buying jewelry for more than 40 thousand rubles.
— We recommend that you do not make required fields in forms for clients on websites. If a person does not want to leave information about himself, it is better to give him such an opportunity. Otherwise, it will fill in the required fields with fictitious data,” says Konstantin Stepanov from HFLabs. – It is better to know less about customers, but let this information be relevant and truthful.
The larger the profile, the higher the likelihood that the store will receive “garbage” data that is difficult to deal with. Clients do not benefit from this either, and the temptation to use a pseudonym and fictitious information about yourself threatens with problems. A person simply runs the risk of being left without a product if he cannot identify himself in front of the seller or the delivery service. First of all, this concerns the Russian Post, explains lawyer Maria Spiridonova.
There is only one way to secure your personal data on your own – do not leave them anywhere or choose services very carefully, says Pavel Korostelev, head of the security code company’s product promotion department.
“But practice shows that there are not so many really reliable places – for various reasons,” concludes the interlocutor of Izvestia. “And given that online trading is very convenient, we must be aware that there is always a risk of leakage and, by and large, nothing can be done about it.