Data Leakage in the Federal portal of public services exposes the personal data of millions of Russians
Details of passport, social security number and employment data of 2.24 million Russian citizens were publicly available. Ivan Begtin, the Chairman of the Data Markets Association was discovered this leak. He analyzed the information of the largest Russian electronic trading platforms, where commercial purchases and public procurement are placed, and where important data was publicly available.
Begtin checked 562 thousand records of ZakazRF, 550 thousand records of RTS-tender, as well as records of Sberbank AST and other major Russian electronic trading platforms. Confidential information was in the public domain on each of the websites.
According to the Chairman of the Data Markets Association, the error occurred due to the illiteracy of developers and inaccuracies in the legislation. In his opinion, decisions on approval of major transactions should be published in the public domain by law. These documents often contain personal data. Second, the electronic signature that customers and suppliers use contains data about the name, e-mail and social security number.
Konstantin Bochkarev, the legal advisor of CMS, said that the disclosure of passport data may result in criminal liability for violation of privacy. According to him, there were examples when the phone number was recognized as a personal or family secret in practice of the Moscow city court.
Experts believe that the developers have violated the law “On personal data”. The data can be removed by Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) on the request of an individual or media reports.
At the moment, Roskomnadzor has already sent to the electronic trading platforms requests for the disclosure of personal data of more than 2 million bidders.
It is interesting to note that Google said in December that the data of 52.5 million people started to be publicly available due to an error in the Google+ service. Applications independently requested data on age, name and e-mail. The company assured that the card data and other personal data were not available to the application.