Hackers unanimously agree that known leaks are just the tip of the iceberg; in most cases, having gained access to data, hackers try not to reveal the information publicly so that the organization that has been hacked cannot respond. “Some databases to which hackers already have access are constantly being saturated with large amounts of new data, and spitting it out publicly means losing this access,” says BlackBird.
How susceptible is Russia to hacking?
Data breaches become public when hackers want to hurt an enemy or build a reputation for themselves. Of course, data is also sold for money - to spammers, scammers, and data aggregators. “We constantly sell and leak data,” says admits Michael Myers, a member of the UHG hacker group. “We mainly try to help our military personnel, but we also have to fund our technical operations.”
Obviously, all else being equal, the more people use the Internet, leaving their data there, the more data leaks will happen. Russia is among the world leaders in the use of the Internet, and the COVID-19 pandemic only increased this reliance.
The West's economic sanctions do not make matters easier for Moscow: many Western IT companies, whose anti-hacking solutions were previously purchased by Russian businesses — Cisco, IBM, Imperva, Fortinet, Norton, Avast — have limited or stopped their activities in Russia.
“If previously Russian companies could afford to use the largest, best known, most proven anti-hacking software, now they have to improvise,” notes one expert, who wished to remain anonymous.
“The fact that Russia is extremely dependent on Western technologies, which are now incredibly difficult to source in the absence of manufacturers, makes hacking Russia all the easier,” notes Baranovich from the Ukrainian Cyber Alliance.
How does Russia fight hackers?
In theory, Roskomnadzor, Russia's media and information technology agency, has the mandate to protect personal data. This is a otherwise a very active government body: it blocks opposition sites, enforces censorship in Russia, studies ways to disconnect Russian networks from the outside attacks, and even makes sure that Vladimir Putin is not called offensive names. Because of its breadth of tasks, there are simply no resources left to protect the personal data of Russians, and the law does not provide any real help in this regard.
“The entire fight against leaks today involves sending letters and simulating vigorous activity," notes the information security expert. "Some meager fines are applied only after a scandal arises in the media."
Personal data protection looks like this. Each operator of personal data — be it Russia's leading internet company Yandex or a regional pizza delivery service — must be included in the register of operators. Now there are almost one million companies like this. If a leak occurs, the company is obliged to notify Roskomnadzor, which typically launche an investigation and then, possibly, force the company to face administrative liability. The maximum fine under it is 100,000 rubles ($1,100).
Businesses are scared
The Ministry of Digital Development is now preparing a bill that it hopes can reduce the number of data breaches. It increases fines for companies whose data has been leaked. For the first breach - 3–15 million rubles ($33,000 - $170,000), for a repeat leak - 3% of the company’s annual turnover, but no less than 15 million rubles and no more than 500 million rubles ($5,500,000).
At the same time, the company will be able to reduce the fine if it is able to reach an agreement with the majority of victims, including people whose data was leaked, offering them compensation. This is supposed to be done through State Services.
Business is traditionally afraid that officials will use it not for good, but rather their own personal interests
Roskomnadzor has proposed introducing actual licensing of large personal data operators (more than a million records) with the same law. The proposal entails transitioning to a licensing system, where companies with more than one million data records would need to meet specific criteria. These criteria include hiring at least five individuals with higher education in information security, demonstrating the capability to pay major fines, and restricting data processing to within Russia. Subsequently, Roskomnadzor would conduct an assessment of the company's IT infrastructure to determine it sufficiently protected.
While all this sounds reasonable, business is traditionally afraid that, having received leverage in the form of large fines and licensing, officials will use it not for good, but rather their own personal interests — economic or otherwise.
“Such a law encourages officials to try to increase the number of fines rather than to stop leaks,” the cybersecurity expert concludes.
From Your Site Articles
Related Articles Around the Web
