Sale of confidential information
Information in today's world is one of the most popular products. Considering the issue of selling confidential information, two aspects can be seen - the implementation of data obtained in a lawful or illegal way. The second situation is related to the legal transfer of ownership of restricted data sets when buying a business. In this case, arrays of information can be vulnerable in the process of preliminary negotiations.
Personal data market
The greatest business risk is theft of restricted data for the purpose of its subsequent sale, carried out by hacker groups or insiders acting in their own interests or in the interests of competitors. The market for confidential information is growing every year. Hackers hunt for funds in the accounts of citizens, personal data and other information closed to the general public.
The black market for personal data, previously represented on offline sites such as radio markets, is now concentrated in the Darknet, the closed sector of the Internet. In most cases, access to resources is only possible using TOR or similar programs, but many resources can be accessed through a regular search engine.
A huge number of sentences of information are grouped according to two parameters:
- to the subject from whom the data is stolen (a specific bank or mobile operator);
- data characteristics (breaking through the bases of car owners, accounts, real estate of citizens).
The most popular product is personal data bases in Excel format for the regions of Russia. In them you can find the full name, gender, phone number, passport data (series, number, by whom and when issued), SNILS, registration and residence address. Many databases were formed in 2017-2018. The cost of one entry is 20-25 kopecks. This information is used to send spam and to fraudulently steal funds using social engineering techniques.
Visual information is sold in separate packages that allow identifying the identity of a citizen:
- photo of a passport and a citizen with a passport in his hands. Such a kit costs from 150 rubles. The data is received at the pass bureau and from Internet projects where confirmation of passport data is required, for example, e-wallets or online casinos;
- a set of scanned copies of a passport, SNILS, driver's license and TIN costs from 300 rubles, banks are often sources of leaks.
Over the past year, the number of proposals for packages of documents of bank card holders has grown. If you need to issue a bank card to a third party, then on the Darknet you can buy already issued cards of Russian banks (Sberbank, Tinkoff, Alfa-Bank). Cost - from 5,000 to 12,000 rubles per card. The plastic is accompanied by an already executed contract, a scanned copy of the account holder's passport, PIN code, attached SIM card, code word, login and password for the Internet bank. Experts note that prices have increased in this market, in addition to Sberbank, little-known credit institutions have entered the market, the list of nominal cardholders has expanded. The revival of the market is associated with a change in the structure of shadow financial flows.
In addition to packages of documents and bank cards, on the Darknet you can also purchase services that are called "breaking through" in slang or obtaining more detailed information about a person by his full name or passport number.
The main services on the breakout market include obtaining data from databases of mobile operators:
- Beeline. The service of detailing calls and SMS of the subscriber is provided at a price of 2,000 rubles and determining the location, the owner of the number at the time of the request. The cost is 3,000-4,000 rubles;
- MTS. Prices rose by more than 50 percent over the year. For detailing intermediaries ask from 15,000 to 20,000 rubles, for one location of one subscriber - from 10,000 rubles;
- Megafon - detailing and locating the subscriber cost the same - 10,000 rubles;
- Tele 2 - the cost of detailing calls and messages starts at 5,000 rubles.
Experts note that over the past year, prices on the breakout market have increased more than fivefold. A new service has also appeared - searching for five phones that are closest to the subscriber at a particular moment. Its cost starts from 90,000 rubles.
The current situation in the market for banking breakout:
- Tinkoff Bank and Sberbank. In the Darknet, you can order statements of a citizen's account at a price from 1,500 per month to 7,500 rubles for six months;
- Alfa Bank. The prices are as follows: 2,000 rubles for a monthly statement and 8,000 rubles for account data for six months;
- Post Bank, Bank Avangard, Russian Standard. A statement on an account or on a citizen's card per month costs from 2,000 rubles;
- Uralsib. Account statement or card statement per month - from 8,000 rubles.
The peculiarity of the black banking information services market is that there are few sellers of primary data, each of which has tens and hundreds of intermediaries. Prices from intermediaries are significantly higher, and the pricing policy depends on the region. It is interesting that for some banks, for example, VTB, there are practically no offers.
In addition to obtaining information from private organizations - banks and mobile operators - the service of breaking through state databases is available on the black market for information about citizens.
The most popular are the transport topics:
- Traffic police. Data on fines, car owners, rights are sold from 1,500 rubles per entry;
- the "Search-Magistral" system , which aggregates information about the movements of citizens on airplanes, trains, buses, ferries. Breaking through costs from 2,000 rubles per entry;
- access data to Moscow CCTV cameras of the Safe City system - from 5,000 rubles.
Analyzing the current situation in the market for the sale of data on citizens, experts draw conclusions:
- the number of proposals is growing, which indicates both an increase in demand and that interest in this method of illegal earnings is growing;
- a sharp rise in prices for bank breakdowns testifies to the effectiveness of the policy of the Central Bank of the Russian Federation in the field of increasing the level of protection of personal data;
- a large number of offers of information from mobile operators - proof of the extremely low level of data protection in this market sector;
- Sharp price fluctuations that occur periodically may indicate another successful special operation against data providers.
The prospects for the Russian market for the illegal sale of personal data are unclear, as regulators are constantly increasing protection measures and cases of theft of large amounts of information are becoming less and less frequent.
Legal data market
In addition to the black market for data, the idea of creating a legal platform where Russian citizens could sell personal data to interested businessmen emerged in Russia. The Internet Initiatives Development Fund (IIDF) and Israeli Human Digital Capital plan to invest up to 250 million rubles in the creation of the Datamania platform based on the developments of IDX, a subsidiary of IIDF, which manages the platform for verifying data of individuals and legal entities. It is assumed that the project will attract up to 1 million users in the first year, who, for a small fee, will give the business access to their personal data.
For the implementation of this project, it is planned to develop amendments to the legislation allowing partially free circulation of personal data. The authors of the idea believe that a Russian citizen will be able to earn up to 60 thousand rubles a year by providing business access to his data. The prototype of the platform has already been tested, according to experts, its work may be in demand for citizens and businesses.
Foreign market for the sale of personal data
The Russian data market has its own specifics, due to the needs of customers and different levels of information protection of personal data operators. The situation is slightly different in foreign markets. They have been studied much deeper than the Russian one, and the trends that are forming on them, especially in the United States, make it possible to draw a conclusion about the prospects of the Russian market for illegal circulation of personal data.
A study by Metric Labs says that a large package of personal data of an American citizen, including credit card information, can be purchased for as low as $ 1,200. Most often, health insurance card numbers are put up for sale, they cost from $ 1 per entry. Uber regularly brings user account data to the market. This allows you to find out the travel routes and travel at someone else's expense. Logins and passwords from electronic wallets are in demand, the cost of data starts from $ 250.
A feature of the American market is the acquisition of personal data in order to use the resources of their owner. In addition to taxis and health insurance card numbers, hacked accounts of participants in electronic auctions are popular, they make it possible to buy goods using the resources of their owners. In Russia, this type of illegal Internet business is much less developed.
The United States has three of the largest data markets on the Darknet: Dream, Point, and Wall Street Market. Among the proposals presented at them are complex packages of personal data of citizens. Professionals of the information market can find dozens of citizen accounts in social networks and other resources, form them into a single package and offer them to customers at a price of $ 1,000.
Interestingly, not all information about citizens gets into the Darknet illegally. For a long time, providers were allowed to sell users' personal data. A law partially restricting this right was passed only under Obama. This law was repealed by President Trump, now providers can freely sell data about visits to sites and geolocation of visitors.
Responsibility for the sale of PD
Experts note that the number of crimes related to theft and sale of information in Russia is growing every year. Theft of data in government agencies, the Federal Tax Service, Rosreestre, and banks has significantly decreased, but the number of attacks on the information bases of mobile operators and private companies has increased.
Theft of information is carried out in the following ways:
- direct copying of data by an insider, sometimes using a colleague's login and password;
- external penetration into information networks;
- interception of information sent over communication networks;
- infection of information networks with malicious software that finds the necessary information and transmits it outside the system;
- methods of social engineering, in which citizens voluntarily provide the fraudsters with the necessary information.
These methods of obtaining data for implementation often violate the norms of the current legislation. The Criminal Code of the Russian Federation contains rules designed to bring to justice persons who illegally trade in personal data.
The following are subject to the greatest protection:
- state secret;
- commercial and banking secrets;
- personal data of employees and customers.
Russian law is liberal to the sellers of information, there are short sentences. Most often, those who steal information from their employer are prosecuted; it is almost never possible to punish the organizer or intermediary. This leads to the fact that the volume of the black market for information about citizens is not decreasing, but growing.
The most commonly used art. 272 of the Criminal Code of the Russian Federation "Illegal access to computer information". Most of the cases are connected not with the fact of illegal transfer of confidential information to third parties, but with the implementation or use of malicious programs aimed at solving this problem. Under the same article, persons who produce bank cards for dummies for resale are involved (case No. 1-13 / 18 of the Astrakhan Regional Court). It is used to prosecute employees of mobile operators, who transfer data to intermediaries at their request, and intermediaries almost never become involved in criminal cases.
There is no systematic application of the possibilities of the criminal legislation to the participants in the black market of confidential information, especially given the fact that the schemes often involve law enforcement officers who provide services to “break through” citizens on various requests. This is due to the fact that crimes are committed in a closed part of the Internet, which is practically not monitored by law enforcement officers.
Violations are revealed only at the moment of direct theft of information from banks or mobile operators, and by the administration of organizations, which involves law enforcement agencies in the case. The market for the sale of restricted data in a certain part is shrinking only due to the actions of regulators, requiring the introduction of more and more effective software and technical measures for protecting personal data.
Data protection for business implementation
When the enterprise passes into the hands of a new owner, along with the ownership rights to goods, funds, know-how, the rights to own the arrays of confidential information accumulated as a result of the company's activities are transferred. But before the re-registration of rights, there is always a preliminary audit stage, at which the potential buyer wants to obtain the maximum possible information about the asset in order to make a fair assessment.
He is usually interested in:
- business profitability;
- information about his clients, the policy of attracting them, marketing techniques;
- structure, platform, source code and other elements of building a site;
- business model;
- assets and rights to them.
This information may be classified as a trade secret of the company, and it should be provided with caution to a person who may refuse to purchase. The very fact of placing a business on the market should be outside the reach of third parties, as it can negatively affect employee motivation and customer loyalty. The buyer may turn out to be dishonest and show interest only in order to easily find out the secrets of the business success of the owner of the company.
There are several security rules that will reduce the risk of leaking trade secrets:
- prepare an offer for an unlimited circle of buyers, which includes the necessary information about the scope of the business, profitability, the number of personnel, and at the first stage of negotiations do not provide more information to interested parties than is indicated in the offer;
- sign a non-disclosure agreement at the second stage of negotiations. It provides for responsibility for transferring trusted classified information or documents to third parties. It is permissible to make an exception for the transfer of such information to consultants - lawyers, accountants, auditors - provided that a similar agreement is signed with them on the observance of the commercial secret regime. If the buyer refuses the transaction, the agreement should provide for the buyer's obligation to destroy the received paper copies of documents, as well as data in electronic media, including e-mail correspondence, without the possibility of recovery;
- provide a potential partner with data with an increasing degree of confidentiality at each stage of negotiations. In case of refusal at one of the preliminary stages, the most valuable information will not be provided to him and will not be exposed to the threat of disclosure;
- based on the results of the initial agreements, conclude a preliminary contract for the sale of the business, in which to provide for the obligations of the parties regarding the conclusion of the main contract. The agreement prescribes the stages of the transaction, the documents that must be signed, a deposit commitment confirming the intention of the parties. If the deposit is provided and paid, then if the buyer refuses the transaction, it remains with the seller. This confirms the intention to acquire the asset and indicates that the trade secret is obtained not for the purpose of its dissemination. If the seller refuses the deal, the deposit is transferred to the buyer in double amount. A deposit to secure the fulfillment of obligations can be placed on a letter of credit at a bank or entrusted to a professional mediator. The same financial security can be provided as a guarantee of fulfillment of the obligation to maintain confidentiality for a certain period.
The fulfillment of these tasks will help to avoid the deliberate or unintentional disclosure of trade secrets in the course of transactions with a running business. The language of the preliminary agreement and the non-disclosure agreement regarding liability for the dissemination of trade secrets should be unambiguous and not subject to ambiguity. To make it easier to bring the culprit to justice, all carriers of trade secrets transferred during negotiations must be marked with confidentiality.
All measures aimed at preserving commercial secrets should be based on an understanding of the structure of its constituent documents and files and their location in each specific situation, this will simplify control over its illegal distribution.