Almost 900,000 Russians have had their personal data, including passport details, phone numbers, and work and home addresses, leaked online from three Russian banks and may now fall victim to spamming and even fraud, Russia’s Kommersant newspaper reported on Monday, citing Moscow-based data security company DeviceLock.
The personal data, collected between 2013 and 2019, was leaked from four archives. While some of the data is believed to be outdated, the rest is up-to-date, the outlet reported. According to the newspaper, the data was published online in May, but DeviceLock detected the leak only on June 7.
Two of the leaked data archives allegedly belong to OTP Bank and Home Credit Bank. The database of the former contains the information of 800,000 people from across Russia and dates back to around 2013, while that of the latter covers over 24,400 alleged clients, the newspaper reported.
“Our bank has not registered any data leaks, and we are unaware of the origin of this database,” OTP Bank told the outlet, commenting on the situation.
Home Credit Bank, in turn, told the newspaper that the bank would try to establish where the leaked data had come from.
The other two archives, dating 2014-2015 and 2018-2019, respectively, came from Alfa Bank, one of the largest commercial banks in Russia. The databases contain the personal information of over 55,500 possible clients of the bank, including those working in the Interior Ministry and the Federal Security Service.
DeviceLock founder and CTO Ashot Oganesyan told the newspaper that the first archive, which contained data belonging to people from a single Russian region, could have been leaked after the bank’s regional IT department was dismissed.
According to Oganesyan, the data was first traded in the black market and only then leaked online to the public. As for the second archive, the DeviceLock founder believed that it may have been leaked by a single bank employee since it concerned only about 500 people.
The bank’s press service told the outlet that special services were verifying whether the data was indeed correct and up-to-date.