Big data – big losses: biggest Big Data leaks in 3 years Published by on

Among the threats of unauthorized use of Big Data, personal data leaks are the most dangerous. When information about the identities of hundreds of thousands of people around the world is once again “leaked” to the public, companies are again thinking about protecting information. In this article, we will tell you about the biggest leaks of personal data over the past few years, as well as how the laws of various countries are trying to prevent the illegitimate use of Big Data and how well they do it.

Big data – big losses

Among the most famous leaks of information over the past few years, it is worth noting the following:

• in May 2019, the personal data of 900,000 clients of 3 major Russian banks (OTP Bank, Alfa-Bank, and Home Credit) were made publicly available: names, phone numbers, passport data, and information about the place of work, information about account balances;

• in April 2019, a MongoDB database was discovered in the public domain that does not require authentication with information from Moscow ambulance stations, including personal data of employees and patients (date/time of the team call, names of team members, license plate number and status of the team car, call address, names, date of birth, gender and description of the patient’s condition, name and contact phone number of the person who called the ambulance);

• in March 2019, personal data of clients of the Doc+ online medical consultation service was publicly available: current user logs with requests and responses of the service, including authorization keys and personal data, were available at the IP address;

• in September 2018, a cyberattack on Facebook leaked the data of 30 million users;

• in November 2018, it became known about the leak of personal data of 500 million customers of the Marriott hotel chain: passport numbers, dates of birth, email addresses, postal addresses, check-in and check-out dates, and in some cases, even Bank card data were made publicly available;

• in 2018, data leaks affected the CIA, the FBI, the us Department of defense, the UK, the international Olympic Committee, the people’s Bank of China, users of BitTorrent, GitHub, Skype, Tinder, WhatsApp, and YouTube;

• in the fall of 2017, dossiers on more than 5.6 million clients of insurance companies were freely available, which included not only personal information, but also information about cars of insured persons, transaction history and copies of documents;

• in 2017, one of the most discussed security incidents was the leak of data from the actors of the popular TV series “Game of Thrones”: phone numbers, home addresses and email addresses of artists were publicly available;

• in 2016, personal data of Uber users was leaked: the names, addresses and phone numbers of 50 million customers and 7 million drivers around the world were stolen by hackers. For this, the UK and Dutch authorities fined European Uber $1.2 million.

How laws deal with Big Data leaks

According to the observations of the InfoWatch Analytical center, today in many countries there is a tightening of administrative regulation of data security: increasing fines, making new requirements. In particular, the introduction of the General data Protection Regulation (GDPR) from May 2018 tightens the liability for violation of the rules for processing personal data: fines for non-compliance with the requirements of this European regulation can reach 20 million euros (about 1.5 billion rubles) or 4% of the company’s annual global revenue. At the same time, the GDPR has an extraterritorial effect and applies to all businesses that process personal data of EU residents and citizens, regardless of their location. Therefore, branches of Russian organizations in the EU, as well as domestic companies that provide services to EU citizens, must meet the requirements of the GDPR.

Against this background, Russia’s regulatory policy looks quite soft: victims of personal data leaks can expect compensation for the damage caused by the results of the trial from 4 to 50 thousand rubles. Despite the existence of laws on the protection of personal data, as well as banking, state, and commercial secrets, and articles of the criminal code on their violation, state regulation in the field of Big Data protection is still imperfect. Even tougher penalties (from 30 thousand to 18 million rubles) for violating the Federal law, which prescribes the storage of personal data of Russians on the territory of the country, does not guarantee the protection of information from leaks. After all, in addition to regulatory documents of a punitive nature, detailed organizational and technical regulations are required, compliance with which will ensure the security of big data.