Central bank drip

The data of 120 thousand bank clients that were blacklisted by Finmonitoring and the Central Bank are uploaded to the Internet.
As it became known to “Kommersant”, the data of customers of banks from the black list of the Central Bank of the anti-money laundering refusers appeared on the Internet. We are talking about about 120 thousand citizens and companies. According to experts, this is the first case of the appearance of information in open access, which is somehow connected with the Bank of Russia. Lawyers say that many clients are blacklisted by chance, but in addition to problems with banks, they may now have additional difficulties, for example, when applying for a job. In the Central Bank and Rosfinmonitoring insist on the impossibility of leaks. But IT experts believe that it is the Bank of Russia that is to blame because of an error in the design of a data transmission security system.

The database of bank refusers appeared on the Internet in specialized forums. “Kommersant” got acquainted with its contents and found out that we are talking about information about about 120 thousand clients (this figure is stated in the description of the database), which were denied service by financial organizations under the law on countering the laundering of proceeds from crime and terrorist financing (115-ФЗ).

Most of the base are physical persons and individual entrepreneurs (PI), part - legal entities. For individuals, the database contains information on their full name, date of birth, series and passport number. About IP - name and TIN, about the company - name, TIN, OGRN. In one of the banks, they unofficially confirmed to “Kommersant” that real customers are refusals. The information security experts interviewed by Kommersant could not recall another case where a leak of customer data of banks was related to the Central Bank.

Entries are dated from June 26, 2017 to December 6, 2017. It was from the first date that the Bank of Russia began to send out a black list of customers in accordance with the provision 550-P. The mailing mechanism looks like this: banks identify customers who are denied service because of suspected violations of 115-FZ, send information about these customers to the Central Bank, and the latter, in turn, to Rosfinmonitoring. The latter processes the data received from the banks, transfers them back to the Central Bank, and the Central Bank aggregates to the banks. Thus, all banks receive an updated list of suspicious customers, formed by the efforts of the entire sector. The leaked base began to spread several months ago, but, according to Kommersant’s information, they did not know about the leak until yesterday either in the Central Bank or Rosfinmonitoring.

Rosfinmonitoring stated that they exclude the possibility of information leakage from them. The press service of the Bank of Russia at the request of “Kommersant” said that the regulator brings information about the objectors to market participants in an encrypted form via secure communication channels using certified means of cryptographic protection of information. “Responsibility for the safety of information and the non-transfer of information to third parties is borne by the financial organization that received it,” the Central Bank believes. They did not specify whether the regulator plans to take action to eliminate such leaks in the future.

The leak could occur in a variety of ways, experts say. “From the Central Bank, Rosfinmonitoring, any bank,” explains Alexey Raevsky, CEO of information protection systems developer Zecurion. In his opinion, the base was supposed to be only at the Central Bank, and banks - to send him requests to verify customers. “In this case, at least, it would be easier to locate the leak, to understand where it occurred. This is probably impossible to do now, ”the expert adds. Thus, according to the expert, an error in terms of information security was made when designing the system.

For customers, a leak is dangerous not only because of the disclosure of data, but by the very fact of being in the database. Customers may accidentally get on the black list of banks, lawyers say. “Often, banks add conscientious clients to blacklists due to negligence or due to a technical error,” says FMG Group lawyer Amina Appaeva. According to Ms. Appayeva, the dissemination of this information to persons from the list, in addition to difficulties with banking services, can result in problems with security services when applying for a job, refusal of contractors to conclude contracts and other risks. Alexey Raevsky adds that such leaks can lead to the most unexpected negative consequences, even exposing the guest room. As an example, he cited the case of Petrov and Boshirov, whose real names were compromised by leaked databases, including the traffic police.

The distribution of such databases in the first place encroaches on privacy, said partner of BMS Law Firm Alexey Gavrishev. According to him, the Criminal Code provides for this punishment of up to five years of imprisonment in the case of the use of official position and data dissemination via the Internet. Such actions can also be qualified as unlawful access to computer information (imprisonment up to seven years), the lawyer adds.

Amina Appaeva believes that the crime also falls under the article on the illegal receipt and disclosure of information constituting bank secrecy (up to five years in prison, and if the act entails serious consequences - up to seven years). According to her, it is of a public nature, therefore, law enforcement agencies must begin an inspection without fail. The distribution of such databases belongs to the jurisdiction of the Investigative Committee of Russia. Yesterday, the central office of the “Kommersant” committee could not promptly report whether statements were received to them about this, noting that they would be dealt with if received.