On December 23, hackers released to the public more than 4,000 photos of the first pages of passports belonging to the drivers of the Citymobil service. The Telegram channel Data1eaks was the first to announce this. A Citymobil representative confirmed the leak.
The attackers published an archive that contains more than 4,000 pictures of the service’s drivers’ passports, many of which were taken in the car or next to the driver’s license, the Vedomosti correspondent was convinced. According to Data1eaks, the leak became possible due to the fact that the photos of the taxi drivers’ documents were publicly available on the server, the path to which belongs to the city-mobil.ru domain zone. After the leak became known, access to the storage was closed by the company, says Ashot Hovhannisyan, founder of the DLBI data leak intelligence and darknet monitoring service.
The authors of Data1eaks claim that the passport details of Citymobile drivers were published by pro-Ukrainian hackers from the NLB group, who had previously uploaded data from the Russian Post, GeekBrains, VkusVill, Beeline, and other systems to the network.
NLB is “a fairly serious group and is made up of highly skilled cybercriminals,” says Luka Safonov, technical director of Synclit JSC. According to him, one of the leaders is the Russian-Ukrainian hacker Vladislav Khorokhorin, who was convicted of fraud using electronic means of payment and served a seven-year prison term.
“At the moment, we are conducting an internal investigation into whether the stolen data was stored in our system and how the data could have been leaked,” a Citymobil representative told Vedomosti.
According to her, those responsible for the leak will be subject to disciplinary action. “In any case, we take responsibility for what is happening, as we are responsible for the security of data on our resources,” said a Citymobil representative. In addition, the company is preparing to notify Roskomnadzor of the leak, and the management has set up a headquarters “for a detailed analysis of this situation,” she added.
Storing scanned documents is a common practice, especially for companies that work with remote employees, says Oganesyan. It becomes a violation in case of non-compliance with security measures that lead to leaks, he adds.
Services do not always take a responsible approach to storing users’ personal data, this may be due to the fact that the fine for leaking personal data is small, explains Yana Yurakova, an analyst at the Positive Technologies research group. The results of security analysis show that in 60% of web applications it is possible to gain access to personal data, she adds.
Attackers can gain access to important data due to administrative errors, password policy deficiencies, access control deficiencies, and lack of authentication, Yurakova lists. For example, 83% of retired employees have access to their accounts at a previous job, and some companies use cloud services to work with confidential documents without proper protection, the expert cites data.
Leaking scanned documents is much more dangerous than just details, as they can be used for various types of online fraud, including obtaining loans and registering in various services, Oganesyan notes. This could lead to an increase in social engineering attacks, both in the form of calls and phishing emails on social networks and instant messengers, Yurakova adds.
During calls, scammers can provide passport details to inspire confidence, and then offer to transfer funds to a “secure” account or provide them with a transaction confirmation code or bank card details, she explains. Another real scheme in which fraudsters can use a copy of a passport to receive a service or product is the purchase of a SIM card in someone else’s name.
At the same time, it will not work to use a copy of the passport to apply for a loan or credit, Yurakova argues, since no financial institution has the right to accept it as an identity document without presenting the original. But if a loan is issued for a small amount (up to 15,000 rubles), then a financial institution may provide a simplified scheme for identifying the borrower, when it is necessary to present a scan of the passport and a photo with the original, the expert warns. For this purpose, according to her, scammers can make a fake passport.