RBC reports that on February 2, 2020, the customer base of microfinance organizations (MFIs) containing data from 1.2 million people was put up for sale on the network. At the disposal of journalists was a “sampler” of this dump containing about 800 entries, including full name, phone numbers, email addresses, dates of birth and passport data.
Although the seller of the database does not disclose the names of specific MFIs, the majority of users who answered the calls of RBC journalists reported that they had applied for loans to Bystrodengy. Also, the “probe” contained the data of the clients of the companies “Zaymer” “eKapusta”, “Lime” and “Microclad”. All of them used the services of MFIs from 2017 to the end of 2019. Some of the phone numbers in the database turned out to be irrelevant (they are not serviced or dared the owner), and also some users have confirmed that their data is correct, but they have never contacted MFIs.
Representatives of Bystrodeneg compared approximately 100 records with their own database and reported that the row match rate was 33%, but not for all parameters. “For example, the name and surname match, but the phone number differs from that indicated in our system,” commented Anton Gruntov, security director of the Eqvanta group of companies (it includes Bystrodengi).
In turn, the Zaimer Public Foundation launched an operational official investigation in connection with a possible leak of personal data of clients. Preliminary results showed that there was no leakage of personal data from the existing IFC client base, however, as reported to reporters, the company’s management turned to law enforcement agencies. Mikroklad reported that there were no data from its customers in the trial part of the dump. The remaining large MFIs did not respond to requests from RBC.
An own source close to the Central Bank told reporters that the sales base is similar to combining these MFI clients from different sources, and not a leak from one particular company. Gruntov believes that the database cannot be owned by MFIs or banks because of its unsuitability for work, since there are fields that contain only a phone number and mail. According to him, the source of this data can be webmasters or lead generators who collect customer data for further resale. Representatives of Zaymer also came to the conclusion that the source of the leak could be the database of partner companies that collect loan applications on the Internet and sell them to MFIs. In addition, they suggested that the dump could be a composite database of clients of several already not functioning MFIs.
The head of DeviceLock, Ashot Hovhannisyan, said that the base could belong to one MFI, but was collected in pieces from different sources, including from the base of its own clients. The fact is that the database contains loan applications, and some may belong to existing clients of this MFI. “The seller himself confirmed this by writing in an ad that the company itself uses the base for mailings, but very rarely,” says Hovhannisyan and notes that either the seller himself or the one who gave him the dump can work in an MFI.
According to Alexey Sizov, head of the Fraud Prevention Department of the Application Security Systems Center at Jet Infosystems, this database can be a combination of data from several different sources. “For example, it can be collected from the store’s loyalty program database, supplemented with information from counterparty verification systems and other sources,” the expert explained.