the channel of leaks through the “clouds” has become twice as wide

Over the past six months, the share of open databases with personal data of Russians who entered Runet through cloud technology has almost doubled: from 10% in April to 19.5% in November. These findings are contained in the company’s study on cybersecurity DeviceLock (available to Izvestia). There are few banking leaks, because of these organizations, information leaks into the public field through insiders. The “clouds” mainly contain information from MFIs and fiscal data operators. Such information is no less valuable for attackers, since it is also used in fraud using social engineering methods.

Partly cloudy

In total, over 200 cloud servers with personal data of Russians that do not require authorized access have appeared in the public domain over the past six months, the DeviceLock study says. In total, the company discovered and examined 1,150 servers, 60% of which could be opened without a username and password.

In particular, the network turned out to be the data of the Drimkas OFD (14 million records), which contained the addresses of stores with names and contents of checks, as well as the microfinance company GreenMoney (more than 1 million records). Another major available server mentioned in the study was located in a cloud called Amazon Web Services and contained 20 million records about Russians, the study said.

They ordered the passport to show: Russians voluntarily merge personal data into the Network

How to avoid becoming a victim of scammers on the Internet

Among the verified “clouds”, there were practically no bank bases, since these organizations operate under the strict supervision of the regulator, and also incur direct losses when data falls into the hands of fraudsters. Therefore, financial institutions invest in cyber defense and install special software, the expert emphasized.

– Although bank leaks are the most dangerous, some data, for example, from microfinance organizations and credit bureaus, can also be used to increase the victim’s confidence in the calling fraudster. In addition, sometimes besides personal information, there are also payment information in open databases: card or account numbers, information about money transfers or purchases — it can be used by attackers to carry out fake transactions, ”said Ashot Oganesyan, Technical Director of DeviceLock.

The growth in the share of unprotected cloud storage is associated with the digitalization of business, while the competencies of companies in the field of cybersecurity lag behind. As a result, more and more available resources and open APIs appear on the Web, he said.

In 2019, the media have repeatedly reported leaks in the data of bank customers, including from Sberbank, VTB, Alfa-Bank, Binbank (attached to Otkrytie). The Central Bank did not answer Izvestia’s questions about the use of cloud services, citing FinCERT’s report. It says that only 12% of the databases that are sold on the black market relate to financial institutions.

More than half of corporate information systems use the default username and password (which are easy to pick up), and about a quarter of these systems have high-risk configuration flaws, Alexey Novikov, director of the Positive Technologies security expert center, confirmed statistics. He agreed that there are more such leaks because the number of companies using cloud technologies is growing. And recently, “clouds” are used more and more often, because it has become popular when programmers can be recruited to the development team in different regions, the expert added.

Outsourcing negligence

Izvestia interviewed major Russian banks, MFIs, and fiscal data operators if they use cloud services. Alfa Bank, ICD and Ak Bars Bank said they did not apply such solutions. The online lending services Robot Seimer, RoboCredit and Webbankir told Izvestia that they were using the “clouds”, but all of them included client authentication and data encryption. In other organizations, including the DFM “Dreamkas” and the MFO “GreenMoney”, they did not answer the questions of “Izvestia”.

Such mistakes are usually made by organizations that seek to release the product faster, but neglect security issues, said Vyacheslav Yashkin, director of the information security department at Ak Bars Bank. Problems with protecting customer information are typical for startups who are in a hurry to deploy their service and do not always have time to think through all the nuances, agrees Dmitry Pelevin, co-founder of the Webbankir financial online platform.

He emphasized that the majority of personal data leaks are associated not with an error in system design, but with a human factor: for example, one of the programmers can use his access rights with malicious intent.

Data servers may be open if the bank works with outsourced programmers and does not have sufficient ability to control the process, suggested the leading anti-virus expert at Kaspersky Lab Sergey Golovanov. According to him, the problem is disorderly and negligent by the administrator of the base, and work on outsourcing needs to be monitored more seriously.

Open databases are part of a group of hacker leaks, which make up 40–45% of the total. The rest are insiders, which is popular for banks. However, “cloud” plums also cause a lot of problems to companies, since the information does not go away in pieces, but in its entirety, Ashot Hovhannisyan noted. He added that Internet services have been actively developing only the last 10 years, and large-scale data theft has begun quite recently. Therefore, the business is not used to the fact that information needs to be protected as carefully as goods in warehouses, the expert believes.

It is useless to deal with such cases of neglect of personal information of clients without creating a special oversight group that will monitor the Internet hygiene of companies with a large number of clients, said Anton Bykov, chief analyst at the Center for Analytics and Financial Technologies (CAFT). He added that it is difficult for an ordinary citizen to completely secure his data, since any information left in the questionnaire forms leaks into the Network.

According to the expert, one should not worry too much about leaks, since they are not enough to directly write off funds: the security of money depends on the vigilance of the users of financial services themselves.