The credit histories of more than one million Russians with data of mobile operators obtained from the Bureau of Credit Histories (BKI) were in the public domain since the end of August. Bob Dyachenko, an independent cybersecurity researcher discovered this data on October 10 and reported the problem to the BKI. After that, the database was closed.
As Dyachenko noted, specialized search engines indexed the information on August 28 and it is not known whether anyone had time to download the information.
The database could belong to GreenMoney microfinance company, which gave the online loans, according to media reports. It contains passport data of borrowers, addresses of registration and actual place of residence, phone numbers, and information about loans.
Andrei Lutsyk, GreenMoney CEO, said that the company complies with all requirements for the storage and processing of personal data provided by law, but mentioned that an audit is being carried out.
Information security expert Vitaliy Vekhov noted that any leak of personal data carries risks for its owners. In this case, he believes, it is important to understand exactly what information appeared on the Internet: “For example, passport data alone do not carry anything. According to a photocopy of the passport, as you know, nothing can be issued. If we are talking about the data of Bank cards, they can be used only if there is a CVV code, and it is not in the data of credit histories.”
At the same time attackers can freely use any data with the help of certain resources. GreenMoney was deleted in mid-September from the register of the Monetary Financial Institutions (MFIs) for numerous violations.