Herman Gref drip on personal data

Personal data of 420 thousand Sberbank employees became public. The reason for the leak could be the malicious actions of one of the bank employees.
The names and e-mail addresses of about 420 thousand Sberbank employees hit the network. The reason for the leak in the bank is not disclosed; a possible option is “malicious actions of one of the employees”. There are no data leaks to Sberbank with global problems, although its staff may fall victim to mass phishing scams. In this case, reputational risk is more important: customers may doubt that a bank that has not managed to protect the data of its own employees, well ensures the security of other information.

The other day on the specialized forum phreaker.pro a database of Sberbank employees was posted. The database is a text file about 47 megabytes in size, which contains more than 421 thousand records with the full name of employees and their logins to enter the operating system, which in most cases coincide with the addresses of their mail. You can also find out in which unit the employee works. The database contains data on employees of subsidiaries of Sberbank, including foreign ones. At the same time, the size of the base exceeds the number of all employees of the Sberbank Group, which, according to IFRS data for the first half of 2018, amounted to almost 300 thousand people. This may be due to the fact that the database contains data on some (not all) laid-off employees. The base was laid out by an unknown user. Available for free.

The “Kommersant” audit showed that the information in the database is relevant as of August 1, 2018 (it was not possible to find employees who were employed later, “Kommersant”).

To verify the authenticity of the data, “Kommersant” compared the e-mail addresses of some non-public Sberbank managers with its own database, there are three e-mails of the president of the bank, German Gref, in the database. The authenticity of the database was also confirmed by one of the employees of Sberbank and a representative of a third-party organization related to the information security of the bank. The press service of Sberbank also reported that they know about the publication of part of the address book of employees.

The published information "does not pose any threat to automated systems and customers," the bank assured. This address book is available to all Sberbank employees and “does not bear the threat of disclosing their personal data,” the bank’s press service stressed. The reasons for the leak were not disclosed. According to Kommersant’s sources, the most likely are the “malicious actions” of someone from current or former employees. The problem was reported to German Gref, who had already expressed his displeasure, said one of the Kommersant interlocutors in the bank.

Stanislav Kuznetsov, Deputy Chairman of the Board of Sberbank, July 19, 2018

Cybercrime is primarily associated with hackers and hacking IT systems. But in reality, more often than not, a car is hacked into a person ...

According to “Kommersant”, the information security department of the Central Bank is also aware of the leakage of data from Sberbank employees, and they consider the situation “unpleasant” there. However, it was not possible to confirm this information officially, and also to find out whether the Central Bank is taking any measures (for example, if it appealed to the international organization FIRST to delimit the domains on which the base was laid), the press service of the Bank of Russia did not responded to the request.

According to Sergey Chernokozinsky, the head of the Information Security Management Department of the OTP Bank, for a bank with serious information protection, such a data leakage is first of all due to reputational risks, not cybernetic risks. “The data can be used for mass distribution of phishing emails, advertising, spam, but serious banks can cope with such problems,” he said.

A web analyst at Kaspersky Lab, Vladislav Tushkanov, noted that data leaks have occurred quite often lately, including financial companies, health care, and government departments. “For the enterprise itself, this may be fraught with reputational losses, and leaks also pose a threat directly to those whose data fall into open access,” Mr. Tushkanov believes. According to the managing partner of the expert group Veta Ilya Zharsky, bank customers may doubt that the bank, which failed to protect the data of its own employees, well ensures the safety of customer information.