The largest private delivery company in Ukraine, Nova Poshta, has been accused of leaking the personal information of hundreds of thousands of its users to the dark web.
And someone is already selling it there, a cybersecurity expert has claimed.
Yehor Papyshev, the head of cybersecurity at international software developer DATAS Technology, says he recently came across an unidentified person selling the personal data of Nova Poshta clients in the dark web, an encrypted area of the internet that can only be accessed by special software.
According to Papyshev, the seller is offering two databases: the first has 500,000 records of clients, with their full names, phone numbers, city of residence, passport information and email address, while the second has 18 million records but each with less information – only names and numbers. The seller is charging Hr 1,500 ($55) for a copy of the database with 500,000 clients.
“News like this is already become normal in the general flow of information about the hacking and compromising of users’ data,” Papyshev wrote on Facebook late on Feb. 5, describing how he’d stumbled upon the Nova Poshta databases on the dark web. “But it seems to me a good idea to once again draw your attention to the fact that you need to look after information about yourself carefully.”
Papyshev asked the seller to send him information from the databases, providing him with several phone numbers to verify that they were actually in use. An answer quickly came – with accurate and up-to-date information.
The cybersecurity expert suspects that the source of the information is a leak from a Nova Poshta insider.
The data could be used for high-pressure advertising, SMS and email spam, and could lead to mass fraudulent “phone calls from the bank” scams, phishing emails, and similar fraud attempts, according to Papyshev.
Nova Poshta has already contacted Ukraine’s Cybersecurity Police, but police spokesperson Yulia Kvitko would not comment on the case.
Meanwhile, Nova Poshta is preparing an official statement. Its Information Technology Director Oleksandr Evstratov earlier told the Kyiv Post that the databases are not necessarily Nova Poshta’s and “the databases on the screenshot (provided by Papyshev) could belong to any other Ukrainian enterprise.”
Moreover, according to Evstratov, a primary analysis showed that some of the data is not included in Nova Poshta’s current database.
Cybersecurity expert Papyshev, however, who first brought the case to public attention and talked with the seller, insists the data is from Nova Poshta, even though there’s no other evidence other than the claims of the anonymous seller on the dark web.
“In my experience, situations like this happen a lot. In most cases the problem concerns public authorities, because they have an extreme lack of specialists who can build information security processes into the organization,” Papyshev said.
He added that if Nova Poshta were regulated by the European General Data Protection Regulation and they had leaked the data of EU citizens, the company would have to pay a fine equal to 4 percent of its annual turnover or 20 million euros (whichever is bigger).
The seller of the databases, if apprehended, could be charged under Article 361 of the Ukrainian Criminal Code – illegal interference in the work of electronic computers, systems and computer networks – and if found guilty face from three to five years in prison.
The Kyiv Post’s IT coverage is sponsored by Ciklum. The content is independent of the donors.