Data breaches by Russian hackers are a global concern now, but the BBC has discovered how easy it is to buy personal data such as passport and bank account details in Russia itself.
According to cyber-security experts, vast quantities of supposedly private data – including from Russian state institutions – are bought and sold every day.
One morning in January 2018, Roman Ryabov left his office in the southern Russian city of Tula for a cigarette. He worked for Beeline, one of the largest mobile phone operators in Russia.
He was approached by a man he had never met before, Andrei Bogodyuk, who immediately made a business proposal. He wanted Ryabov to access the phone records of someone he knew.
Later that day Ryabov emailed Bogodyuk a long list of telephone calls and dates, for which he was paid 1,000 roubles (£12, $16).
Ryabov also supplied his new acquaintance with data from two more mobile phone numbers. But by then Beeline had spotted the data breach and had contacted the police.
The two were tried and sentenced to community service: Bogodyuk was given 340 hours and Ryabov 320.
Booming illegal trade
Fast-forward a year and this method of acquiring personal data in Russia is already old-fashioned.
These days, private detectives, scammers or just jealous husbands can search illegal forums online and order the services of a hacker to give them an almost limitless supply of personal data.
The market for purchasing personal data in Russia is growing. For a modest fee, you can gain access to mobile phone records, addresses, passport details and even bank security codes.
The illegal forums also have sections for accessing data from state organisations, including the Federal Tax Service.
“If the demand is there and there is money to be made, then someone will rise to fill that gap,” said Harrison Van Riper, a research analyst at the cyber-security firm Digital Shadows.
Leaks of official information happen in all countries. One of the best-known cases was that of Edward Snowden, a US National Security Agency (NSA) contractor who, in 2013, released a trove of data about Washington’s spying activities.
Read more on Russian cyber-attacks:
But Russia stands out for the ease with which an ordinary person can obtain secret data held by state agencies.
“It’s a combination of the classic problems of corruption and a degree of lack of control over access to the data,” Mark Galeotti, a senior associate fellow at the Royal United Services Institute, told BBC Russian.
Russia only rarely prosecutes people for selling confidential data, but when such cases do go to trial, they offer a glimpse of how the trade works – and why it persists.
In 2016, in the Moscow suburb of Vidnoye, the deputy head of field inspections at the local branch of the Federal Tax Service was convicted after selling information about the income and assets of several Russians for 7,000 roubles. He received a fine and sentence, but both were waived under an amnesty to mark Victory Day.
In at least one case documented by the BBC, this failure to keep a lid on official data has backfired on Russia, exposing the activities of Russian spies.
Last year, Dutch authorities released the names of several people it said were involved in spying. A search for those names in a Russian car registration database – which is supposed to be secret and controlled by the interior ministry, but has been leaked to murky private operators – revealed those individuals’ addresses.
They were traced to a building in Moscow used by the GRU – Russian military intelligence.
It was an embarrassing revelation for a country run by President Vladimir Putin, a former intelligence officer, which prides itself on the excellence and secrecy of its intelligence services.
But Russia’s security apparatus is up against powerful market forces. Officials can supplement their often meagre wages by selling data on the black market.
To find out how easy it was to order personal data, BBC Russian contacted one online forum and requested the personal data of one of its correspondents.
Within a day, and for less than 2,000 roubles, a file was emailed containing extracts not only from his current passport but from every passport he had held since the age of 14.
The correspondent then revealed he was from BBC Russian and asked the seller to answer some questions. He agreed, asking to remain anonymous.
He told BBC Russian he thought of his operation as a “detective agency”. After leaked information exposed the identities of Russian intelligence operatives, he said, there was a crackdown on the trade by Russian law enforcement. That forced some operations like his out of business.
“But they are gradually coming back. It’s not something that can really be stopped,” he said.
And it’s not only Russian citizens whose data can be bought: BBC Russian ordered information about the correspondent’s wife, an EU citizen, and was given data including phone records, date of birth and passport information.
One person convicted of selling confidential data agreed to speak to BBC Russian. Anatoly Panishev, 28, an ex-employee of the mobile phone company Tele2 in Saransk, had sold the personal data of company clients.
“I only went into this because I was thinking about quitting my job,” he said. “Then a proposition came up. And so yes, I decided to make some money from it.”
Panishev earned more than 40,000 roubles in 2018 for his illegal activities, before being convicted and given an 18-month suspended sentence.
“A lot of other countries, particularly in Western Europe and North America, are very careful about data, because they need to worry about lawsuits and the General Data Protection Regulation [GDPR],” Mark Galeotti says.
“But Russia doesn’t appear to have put as much security into protecting this data as it should have.”