Is Russia being punished for illegal trade in personal data?

Probably already the whole Habr knows that our personal data have long and successfully become the object of legal and illegal trade. I wrote about the market of banking information, data of mobile operators and government agencies here in the article: " Analysis of black market prices for personal data and breaking through ."

We will not talk about the so-called legal part of this business now, let's talk about its illegal side and try to figure out how they stop this activity and stop it at all.

In this article I will talk about who and how in Russia they catch for illegal trade in data. Only real cases, no theory!

Judging by the huge number of proposals for “breaking through” on the black market, one might get the impression that the state and private companies - personal data operators (banks, mobile operators, etc.) simply withdrew from solving this problem.

However, there are cases when sellers are caught and even judged. True, it is worth noting that, as a rule, direct executors of orders are caught, i.e. employees of organizations that have access to information because of their duties. But intermediaries who actively hire such unreliable employees of banks, telecom operators, government agencies, and then resell the data of citizens on the black market, often remain in the shadows and escape punishment.

I made a selection for the year of all cases of arrest and conviction of persons one way or another connected with the sale of personal data, about which the media wrote and which were held in my channel “ Information Leaks ”. They were not so much, but the rich ...

February 2018

The case of four residents of Penza, arrested for selling personal data of subscribers of mobile operators, was sent to court. According to investigators, in October 2016, a 26-year-old Penza resident and his 27-year-old acquaintance decided to find insiders who have access to two mobile operators, who, for a fee, will copy the personal data of subscribers and information about their telephone conversations. Companions managed to negotiate with two 20-year-old girls who worked in the salons of mobile operators. An announcement on the sale of personal data of subscribers and information about calls was posted on specialized forums on the Internet. From December 2016 to the end of March 2017, 17 orders were received, each costing from 500 to 4,000 rubles.

March

The prosecutor's office of the Nizhny Novgorod region reports that according to the investigation, the 30-year-old officer of the criminal investigation department of the OMVD of Russia for the Bogorodsky district in 2015 organized an illegal transfer of information from the departmental data banks of the Ministry of Internal Affairs for monetary remuneration. In 2016, he also brought his younger brother to this, who also held the position of security officer of the criminal investigation department. The attackers systematically used access to the databases of the Ministry of Internal Affairs of Russia to obtain and transmit official information via the Internet to an indefinite circle of people. This criminal activity lasted more than a year. It is noted that in this way men received an income of more than 700 thousand rubles.

In the Lipetsk region, three criminal cases were immediately brought against a bank employee. The financial consultant of the local office of a famous bank illegally used customer personal data about accounts and deposits. The audit revealed that the bank employee used the clients' personal data to steal money from their accounts and deposits. I note only that there was a embezzlement of funds from clients' accounts, and not data trading, which is probably why the bank decided to submit an application to the Ministry of Internal Affairs. I do not know of other public cases when banks officially investigate illegal access to customer information.

Two former operative officers from Bogorodsk (Nizhny Novgorod region) received 1.5 years of imprisonment for the use of personal data from the database of the Ministry of Internal Affairs. During the investigation, circumstances were established for police officers to receive 800 thousand rubles from citizens from more than 20 constituent entities of the Russian Federation. Most of the transferred personal data is related to the verification of information about the owners of motor vehicles.

April

A 33-year-old ex-investigator of a Moscow regional police department, resigning from law-enforcement agencies on his own, decided to earn money by trading data on private telephone conversations. Having obtained the fake print of the Meshchansky District Court of Moscow, in two years he managed to issue about 300 false court decisions on the provision of details of telephone conversations, as well as information about the subscribers themselves from the main cellular operators. The cost of one order for details and subscriber data ranged from 45 thousand to 100 thousand rubles, while the former investigator himself was given 10–15 thousand rubles. The rest of the money was distributed among intermediaries with whom the ex-investigator mainly communicated with the help of instant messengers.

In Saratov, according to the results of the prosecutor's check, a criminal case was initiated against the official. It was established that from March to December 2016, the assistant to the operational duty department of internal affairs in the city of Saratov, having access to information about incidents and crimes that occurred in the territory of the city of Saratov, systematically transferred information about the death of citizens to an individual entrepreneur who carried out activities in the field of ritual services.

They caught the former head of one of the divisions of the Committee on the management of city property and land resources of the Nizhny Novgorod administration. For a bribe of 1.2 million rubles, the 36-year-old head of the department agreed to transfer any information of limited access, including personal data of citizens, contained in information systems for accounting of real estate and land plots. In confirmation of his readiness for “cooperation”, the official handed over a USB-drive with a part of the requested data. In December, the court sentenced the former chief to imprisonment for a term of 8 years with serving a strict regime colony, as well as a fine of 3.6 million rubles, for bribery. In addition, for 5 years he will not be able to hold certain positions.

May

In Voronezh, a former employee of the cellular company was accused of illegally spying on phone calls. She is charged with violation of part 2 of article 138 of the Criminal Code of the Russian Federation (violation of the secrecy of correspondence, telephone conversations and other communications of citizens, committed by a person using his official position). Investigators found that from November 30, 2017 to February 22, 2018, an employee of a cellular company, while at the workplace, illegally looked through the details of telephone connections.

June

In Mordovia, employees of cellular companies that traded personal data received a suspended sentence. The 27-year-old operator of the contact center of T2Mobile LLC Anatoly Panishev received 1 year 7 months, and the 24-year-old specialist of PJSC Vimpelcom, Anna Sineva, 1 year 4 months. The investigation found that in February 2017, Paniseva, using Telegram, was contacted by a former employee of T 2-Mobile LLC (Saransk) Sineva with a proposal to transfer photos of her with passport data, telephone numbers that she provided to WhatsApp and Telegram. For one phone number, she promised to pay 200 rubles. According to some reports, Sineva resold personal data on the Internet for 500 rubles. In the period from February to April 2017, Panishev, through the computer program Invoice, copied to his phone personal data of subscribers, including last names, first names, patronymic names, identity documents, parameters of service provision — information about the funds on the personal account, and transmitted via Telegram them on Blue Bone's mobile phone.

September

The former deputy head of the police department No. 1 “Severnoye” of the OMVD of Russia in the Nakhimov district in Sevastopol received three years in prison for selling data on the death of people to employees of a ritual company. Alexander Baranovsky was found guilty of accepting bribes from the owner of a ritual firm. For several years he transmitted information about the deaths of citizens and the data of their relatives.

October

The FSB detained a Russian border guard, who probably sold information about the trips abroad of Alexander Petrov and Ruslan Boshirov, accused of poisoning the GRU colonel Sergei Skripal. The border guard worked in the North-West Federal District. An employee of one of the divisions of the Federal Tax Service (FTS) was detained along with him. The arrests took place as part of a special operation to prevent leaks from closed databases. By the way, this special operation quite severely knocked down the black market of the “gravestone” for some time.

November

In Kaliningrad, a 25-year-old cell salon manager was detained for selling customer personal data. The manager was approached by an unknown man who asked for a reward to provide data on a specific subscriber. The case was initiated under part 3 of article 272 of the Criminal Code of the Russian Federation (illegal access to computer information). The maximum penalty is imprisonment for up to five years.

The court of Tomsk sentenced to three years conditionally the former local police, who for financial remuneration reported to the employee of the ritual bureau the personal data of the deceased. “It was established that in the period from December 27, 2017 to April 3, 2018, the defendant, being a divisional officer of the OMVD of Russia for Tomsk district, received a bribe in the form of money for a total of 21,000 rubles for illegally providing confidential information to the deceased person acting in the interests of a commercial organization providing funeral services. These data were later used to secure the conclusion of contracts for the provision of funeral services with relatives of deceased citizens. ”

December

The Investigation Department of the Investigative Committee of the Novosibirsk Region opened a criminal case on the illegal transfer of information constituting a commercial secret in respect of an employee of the Russian Telephone Company. On November 20 last year, the suspect logged into the system under his working username and password and copied information containing information about the date and time of connections, numbers of outgoing and incoming connections of the MTS cellular subscriber, and then transferred these data to third parties. A criminal case under part 2 of article 183 of the Criminal Code of the Russian Federation (illegal transfer to third parties of information constituting a commercial secret) was initiated against the suspect. The employee faces up to three years in prison.

The prosecutor’s office of the Leninsky district of Magnitogorsk sent a criminal case to the court against the former head of the municipal government of the pension fund, who was accused of accepting a bribe and abusing authority. In 2017, a woman handed over to the employee of a commercial bank the personal data of citizens who were illegally used in the performance of a credit institution. For this, the head of the pension fund received a bribe in the amount of 61.4 thousand rubles. This money was transferred to the bank account of her daughter under the guise of providing financial assistance from the employer.

The Domodedovo City Court of the Moscow Region found a police officer guilty of corruption offenses and sentenced him to four years and six months in prison. In addition, the convict was fined 600 thousand rubles. The court found that the policeman for several months repeatedly received bribes in the amount of up to 15 thousand rubles. through an intermediary for the provision of migration card forms and personal data of foreigners from an automated database.

January 2019

In Murom, the investigation of the criminal case against the former employee of the cellular salon, charged under part 2 of art. 138 of the Criminal Code (violation of the secrecy of telephone conversations), Part 3 of Art. 272 of the Criminal Code (unauthorized access to legally protected computer information) and part 3 of art. 183 of the Criminal Code (illegal receipt of information constituting a commercial secret). In January 2017, a 23-year-old former employee of the cellular salon repeatedly forged statements on behalf of clients to receive information about connections, and when receiving data copied them to removable media. On behalf of clients, he sent 43 service requests for receiving subscribers' details - part of the requests was satisfied. Such activity alerted the security staff of the telephone company - the employee was calculated, after which he was dismissed, and the materials were transferred to the investigating authorities. The criminal case with the approved indictment was sent to the court. In accordance with the law, the defendant faces up to 5 years in prison.

In Perm, a former police officer is accused of abuse of power (part 1 of article 285 of the Criminal Code of the Russian Federation) and petty bribery (part 1 of article 291.2 of the Criminal Code of the Russian Federation). In 2017, she had access to information of banks, which contained personal customer data. Without the knowledge of the citizens themselves and the relevant requests of the competent authorities, she provided these data to the director of a commercial organization. For this information, a former police officer received a reward - from 100 to 500 rubles. After the bribery cases were revealed, the woman was fired from the internal affairs bodies. The criminal case is completed, the case file has been submitted to the court.

An employee of Megafon mobile operator in St. Petersburg was charged with a crime, Part 2 of Art. 138 of the Criminal Code (violation of the secrecy of correspondence, telephone conversations, postal, telegraph or other messages). The court found that the defendant was in the position of a reporting engineer for the corporate data warehouse and had no obligation to preserve the company's confidential information. He, using his official position, having access to the data of billing systems, got access to the victim's confidential information and passed this information to unidentified persons. Taking into account the position of the state prosecution, the absence of objections from the victim, the petition of the investigator is satisfied, the defendant is fined 100 thousand rubles.

February

In Novosibirsk, the court sentenced two former MTS employees who stole a database of subscribers from Novosibirsk, Barnaul, Novokuznetsk and Berdsk. At the time of the theft, one of the attackers had already resigned from the MTS, and the second continued to work as a leading supervisor. The theft was committed on July 18, 2018. Two intruders freely entered the office and entered the office with a computer that had access to the corporate network. One of them asked for the login and password from the authorities. They tried to send the downloaded database to their personal mail as an archive file, but this was not possible due to the large size. Then the archive was divided into several parts and sent back to the post office. In total, the stolen database contained data on 506,185 subscribers, containing: last names, first names, patronymic names, telephone numbers and addresses. During the preliminary investigation, the attackers admitted that they tried to sell each subscriber’s data for one ruble per record, thus earning more than 500 thousand rubles. On February 26, 2019, the court found Nikita Chernitsov and Vitaly Ivanov guilty under Article 183 of the Criminal Code of the Russian Federation "Collection of information constituting a commercial secret, causing major damage or committed out of mercenary interest." Chernitsova was sentenced to 1 year 6 months probation with a similar probation, and Ivanov was given three months less.

In Tomsk, the former district police officer was sentenced to receive a bribe for providing information about deceased citizens in the interests of the ritual firm. The court found that from January 2 to June 18, 2018, the defendant, then serving as a district police officer, received a bribe of 42,000 rubles for illegally providing confidential information about the personal data of deceased citizens to a person acting in the interests of a commercial organization providing funeral services . These data were later intended to ensure the conclusion of contracts for the provision of funeral services with the relatives of deceased citizens. The court sentenced the defendant to three and a half years imprisonment with a probation period of three years. He was also deprived of the right to hold positions in the system of law enforcement bodies of the Russian Federation for two years.

A court in Novosibirsk convicted the head of a ritual agency in giving bribes. A 41-year-old man was sentenced to seven years of imprisonment for three years on probation. The entrepreneur gave bribes to police officers in order to obtain information about the personal data of the deceased in Novosibirsk, namely, their last name, first name, patronymic, date of birth and death, as well as location.

March

In the Voronezh region, the court will consider the case of the 38-year-old head of the department of PJSC IC “Rosgostrakh”, which illegally copied the customer database in July 2018. According to the investigation, the woman, having access to the customer base, copied her personal data, contacts and information about the cost of insurance services. To send data to herself, she used corporate email. The criminal case was initiated under Part 3 of Art. 272 of the Criminal Code (illegal access to legally protected computer information, if this act resulted in copying of computer information). The maximum sanction is imprisonment for 4 years.