SOCHI, 10 October – RIA Novosti/Prime. A number of customer database leaks are associated with government agencies or online retailer hacks, but sometimes users provide their personal data themselves, according to the Central Bank’s report presented during the Forum of Innovative Financial Technologies FINOPOLIS.

“A certain number of database leaks discussed in the public domain are related to government institutions. <...> Data leaks from credit and financial organizations affect only a small number of Russia’s adult population. Thus, the sources of personal data leaks are not necessarily authorized employees of credit and financial institutions who have access to the said data, but rather many other numerous personal data processing operators,” the document says.

The results of information monitoring and analysis concerning client data leaks from financial institutions show that among the leak channels are also hacker attacks on the internet retailers that sell goods and services using remote card payments.

“When customers of such internet resources place their orders, they often provide information about themselves (such as name, address, phone numbers) that is sufficient for them to be identified. The bank card numbers used for payment are sometimes obtained as a result of hidden embedding of malicious code into the website code, which reads, stores and transmits data to the hackers. In some cases, customer data may be sold by the owners or employees of said retailers,” the Central Bank elaborates.

Fraudsters can also watch over the large trading floors and monitor certain participants of such resources. “The data of payment cards are often reported in correspondence or in telephone conversations by the participants themselves. They can later be compared and compiled with information previously obtained from other sources, including that from the past leaks of other databases available on the market (such as databases of taxpayers, owners of cars, real estate and other property or social networks). In some cases, a complete set of data on particular clients of financial institutions may never be obtained as a result of such reconnaissance and analytical activity, however, the missing information is either provided by the clients themselves during a conversation with the operator (the ‘ringer’), or is generally ignored, and the conversation is based on the available incomplete data only,” states the report.

“Personal data is also easily accessible to a wide range of people for a fee via Telegram bots,” says the document.

Source: INTERFAX