Last year, East-West Digital News reported on a Moscow discount site’s client database that had been leaked to crooks for $6,700.
Several new cases were brought to our attention recently, suggesting there is a growing black market of client database information in Russia. Various kinds of websites are concerned, from small ones to some well-established e-commerce players.
Databases are being traded for 4 to 6 rubles per email address, our source said. Such practices may devalue the efforts and investments – sometimes amounting to millions of dollars – that big players are devoting to user acquisition.
“In 95% of cases, leaks come from employees, either low ranking members of the site’s IT team or marketing or CRM directors,” says Jean-Stéphane Bagoëe, the CEO of Intelligent Emails, a Western email management service provider operating in Moscow.
“High turnover comes as one of the main factors, with employees taking a copy of the database with them when leaving the company,” Bagoëe believes.
The official email brokerage market is virtually inexistent, EWDN’s research on Russian e-commerce revealed recently. Putting aside databases of dubious origin, the only offers in the field of acquisition email marketing come from such newsletter service providers as Content.mail.ru and Subscribe.ru.
Among newcomers on the market is Directlist.ru, a St. Petersburg company, which helps companies enlarge their email base through third-party sites.
Wishful legislation
This illegal database trafficking highlights the failure of Russian authorities to enforce a particularly demanding piece of legislation aimed at protecting personal data.
Since June 2011, a new law has required companies which store and process personal data to comply with a long list of organizational and technical requirements to protect that data.
While physical carriers of personal data must be registered, only certified personal data protection software and hardware must be used and any tools already in use must be certified.
The law also specifies that internal control policies must be defined and applied. Rules governing access to information systems where personal data is processed must be defined, and all actions performed with personal data in the system must be recorded, the legislation demands in a not entirely realistic way.
Moreover, the law requires the concerned organizations to “assess potential threats” to personal data security as well as any damages that could potentially be caused to the data subjects by misuse of their personal data.
Instances of unauthorized access to personal data must be made known and appropriate measures taken, the law also demands.
- RUSSIAN E-COMMERCE REPORT – The total volume of Russian online retail reached approximately $13 billion in 2012, up 25% from the previous year. EWDN has published an in-depth, regularly updated research on Russian e-commerce, which includes a detailed analysis of personal data legislation as well as a description of illegitimate practices in the industry. To receive free insights or to order the full version, please contact us at [email protected]
