Turnover penalty for data breach
At a presidential meeting of the Communist Party faction in the State Duma, Maksut Shadayev shared that the Ministry of Digital Development has prepared a bill introducing turnovers penalties for personal data leaks. The proposal envisions fines reaching up to 3% of a company’s annual turnover when citizen data is exposed. The ministry is engaging with representatives from the IT industry to discuss the initiative.
Shadayev stated that the law would impose strong fines of up to 3% of turnover for inadequate data security. He noted that the ministry will seek to adjust several mitigating factors during evaluation. First, companies should be credited for certifying and hardening their infrastructure and voluntarily showing investments in protective measures. This would help demonstrate that an organization has done everything feasible to protect data.
Secondly, the question of compensation for damage to citizens with leaked data will be considered. If two-thirds of affected individuals obtain compensation, potentially out of court, this would serve as another mitigating circumstance, according to the minister.
The ministry argues that the aim of turnover penalties is not to increase budget revenue but to push companies to invest more in security. There is also a plan to require organizations to report leaks more promptly, with penalties that reflect the seriousness of the breach rather than the breach itself.
Currently, fines for personal data leaks range from 60 thousand to 500 thousand rubles for businesses. A week earlier, President Vladimir Putin endorsed a course to tighten responsibility for leaking personal data during a meeting with the presidential council for civil society and human rights (HRC). He suggested that criminal liability be considered for illicit circulation of stolen data, emphasizing that users should understand the data they handle may be stolen.
Leaks in Yandex.Food & Delivery Club
On March 1, the security service of Yandex.Food reported a data leak. It stated that due to dishonest actions by an employee, customer phone numbers and order details such as compositions and delivery times were exposed online. Banking data and login credentials were unaffected, and the service apologized to users.
Following an internal audit, Yandex announced a tightening of how sensitive information is stored, including order-related data. Manual processing of such data will be eliminated, and access to order information will be reduced by at least a factor of three. The company indicated it would pursue legal action against the responsible employee and filed a complaint with law enforcement for unauthorized access to customer data.
In April, Yandex.Food faced a fine of 60 thousand rubles. On August 3, the Moscow court fined the service 60 thousand rubles again for the same leak. A similar incident affected the Delivery Club, with reports in late May that files containing courier personal data were publicly available. The breach reportedly impacted 521.5 thousand lines including names, emails, and phone numbers.
According to RIA Novosti and official records, administrative fines ranged from 60 to 100 thousand rubles, with Delivery Club receiving a separate 80 thousand ruble fine for violations related to personal data.
DNS leaks and Vkusvill
In December, DNS, a major Russian electronic network, confirmed that employee data was leaked, including names, work emails, and phone numbers. Roskomnadzor had conducted an inspection, and the network was held responsible. DNS attributed the breach to a hacker attack in October 2022 and described measures taken to prevent future incidents.
On December 9, Vkusvill announced that some customer data, including phone numbers, emails, and the last four digits of bank cards, had become public. The company said it learned of the leak during the night of December 8–9, and stated that third parties had compromised publicly available customer data. Measures were implemented to rectify the situation and limit exposure going forward.