Personal Data Leakage of Russian Railways Passengers

Pavel Medvedev, a specialist in search engines of Rush Agency, came to the conclusion that users of sites of such large companies as Russian Railway, VTB Bank, Sberbank, as well as the Moscow city hall, can at any moment become victims of fraud.

"I believe that many good specialists and developers have shifted to the West and the quality of staff in IT has decreased because of the crisis in Russia," said Pavel.

People who serve the Internet resources of companies make stupid mistakes. For example, they do not write down which pages the search engines can enter and which cannot. Search engines don't care where they collect information. The reasons behind data leakage are Unprofessionalism and incompetence of IT professionals and the attempts of companies to save money.

How can it be dangerous? For example, a person buys a train ticket with a departure date in six months. He receives an SMS with a link to his personal account to view and edit information. At the same time, "Yandex.Browser", Android or metric counter tells the search engine that a previously unknown page has appeared. The search engine sees that the page is working and indexes it.

Hackers who does searches related to train ticket booking gets the data and access the user's personal account, rewrites the document in his own name and after six months leaves on the train instead of the real ticket holder.

It is important to note that the personal data leakage happened not for the first time in Russian Railway. In 2016, a group of hackers found in the open access database of 3,500 passengers, including customers of the railway monopoly.