The National Credit Bureau refuted a major leak of its client database. Earlier, this was reported by the Telegram channel “Information Leaks.” According to its authors, passport details, phone numbers, loan amounts, and other information about the bureau’s clients were made available to the public. In total – over 200 million records. As the blog authors clarified, the database was published by a certain hacker. The NCB denied the leak on their part. They stated that there is no basis for this and noted that the Telegram channel was trying to “catch a certain hype” in this way. However, the bureau admitted that the information may be genuine.
What kind of data is contained in the database? And how dangerous can it be? “Ekho Moskvy” asked Vladimir Ulyanov, the head of the Zecurion analytics center: “The information contained in this database is quite universal. Names of individuals, passports, contact phones, region – all this is used in many places. Therefore, based on this set of fields, it is impossible to judge the origin of the data; it is assumed to be a fragment of the database.
But if we are talking about a case where, as in this situation, hundreds of thousands of contacts are involved, then it is difficult to call it a fragment; it is really a full-fledged database that is of interest, including to fraudsters. It can be used for unauthorized purposes and may cause some harm.
Do not think that this is the information that can be used to take out a loan for someone. There are other scenarios, for example, the use of social engineering methods, where they call, gain trust, and get the person to divulge data that can be monetized.”
In the data protection expert community, it is believed that the database that ended up in the public domain is most likely a compilation, meaning not unique data, but a compilation of previously leaked data. However, to speak more specifically, additional investigation is needed. As noted by the NCB, creditors and credit brokers could be the source of the leak.
According to the basic standard of the Central Bank, in order to assess the solvency of a client, such organizations should obtain information from credit bureaus. But the organization is not their only source. In particular, microfinance organizations use their own models to assess the income of borrowers to determine their debt burden. Anton Gruntov, the director of security at the Eqvanta group of companies, believes that the version of the leak from microfinance organizations is unrealistic:
“The key point is that no financial organization, including banks, even the top 3, is unlikely to have such a large volume of individual unique accounts. We lean towards the version that this is a compilation, meaning not the amount of unique accounts that is claimed.
Usually, such leaks have a provocative nature, their goal is to cast doubt on the security system of a specific organization, to create public resonance.
It is necessary to understand whether these are unique records, what volume of data is concentrated in each of them, and then figure out which organizations can aggregate this information in such a way as it is currently contained in the leak.”
Meanwhile, according to “Kommersant,” if we sum up the scale of announced leaks since the beginning of the year, it amounts to over 750 million records. That’s five records for each Russian, including the elderly and infants.