Sberbank, a major state-affiliated banking and financial services institution in Russia, has disclosed an alarming breach that exposes approximately 3.5 billion pieces of personal data belonging to Russian citizens, impacting about 90% of the adult population in the country. This revelation underscores ongoing vulnerabilities in data security across various sectors, as highlighted by Stanislav Kuznetsov, the bank’s deputy chairman, who described the situation as “deplorable.”
The analysis conducted by Sberbank during late 2023 and early 2024 pinpointed online retailers and healthcare facilities as primary sources of these data leaks, with breaches reaching their peak in 2023. However, the incidents have not ceased, with ongoing concerns regarding data safety manifesting throughout the economy. Information security firm Infowatch has reported significant exposure of Russian personal information, estimating that a third of breaches involve large databases comprising over 100,000 records. Such databases frequently belong to diverse services, including popular platforms like Yandex.Eda for food delivery and SDEK for shipping, both of which have recently faced data exposures. Compounding these issues, government databases are also implicated, with revelations from August 2024 indicating the leak of the FSB Border Service database, which holds sensitive information about individuals crossing Russia’s borders from 2014 to 2023.
The leaked data typically encompasses a wide array of personally identifiable information (PII), such as full names, passport numbers, phone numbers, residential addresses, and email accounts. Cybercriminals frequently exploit this information for phishing schemes and other fraudulent activities that leverage social engineering strategies. The increase in data leaks correlates directly with a rise in scam activities; consequently, the Bank of Russia reported substantial financial losses due to fraud, with nearly R4.7 billion (approximately $48 million) stolen from bank clients through unauthorized transactions in just the second quarter of 2024.
In a troubling trend, Sberbank noted a dramatic uptick in fraudulent phone calls targeting Russian citizens throughout 2024. Kuznetsov indicated that during February and March, daily attempts to reach individuals via phone scams soared to about 20 million. Projections by Sberbank estimate potential fraud-related losses at the year’s end could soar to R1 trillion (around $10 billion), further emphasizing the grave implications of these breaches.
Given the scale and nature of these incidents, the MITRE ATT&CK framework provides a relevant lens through which to assess the tactics and techniques likely deployed in these cybercriminal activities. Initial access methods may include phishing emails, which allow attackers to gain a foothold within targeted systems. Once inside, they may leverage persistence techniques to maintain access, applying privilege escalation strategies to navigate through layers of system security effectively. This multifaceted approach demonstrates that attackers may operate without sophisticated resources but capitalize on systemic vulnerabilities and human factors.
As the cybersecurity landscape continues to evolve, the emphasis on safeguarding sensitive information is paramount for organizations both within Russia and globally. Business owners must remain vigilant and proactive in implementing robust security protocols to counteract the persistent threat of data breaches and associated fraud.
