The proposal to introduce turnover penalties for data leaks in Russia could add pressure on industrial sector companies for hackers and simultaneously serve as a competitive lever for organizations, according to expert analysis from the Kaspersky ICS CERT unit. The assessment came from a member of the Kaspersky Lab team who spoke with socialbites.ca.
The draft law on turnover penalties for data leaks was submitted to the State Duma toward the end of 2023. Penalties would range from 0.1% to 3% of a company’s annual revenue for repeated data breaches, with the amount adjusted by the number of personal data subjects affected (ranging from 1,000 to 100,000 individuals). The maximum fine is capped at 500 million rubles. By January 2024, the bill had progressed to the first reading.
Dashchenko warned that if the norm becomes law, some industrial organizations might face challenges. He noted that attackers could remain undetected within a network for extended periods, and turnover penalties might prompt blackmailers to push for early concessions or extortion in exchange for keeping data private.
He added that historical analyses of highly targeted industrial intrusions show well-trained adversaries, including financially motivated groups, can stay hidden within critical infrastructure for long spans. In some cases, a breach may have occurred long before discovery, with access later sold to a second attacker team on the black market.
Additionally, the expert suggested that turnover penalties could turn hackers into hired mercenaries for firms. A company with insight into a competitor’s settlement could potentially report the information to regulators, inviting a hefty fine on the rival while enabling the misusing company to gain market advantage.
There is also a hypothetical risk that attackers could leverage the new law to strike entire corporate groups. By exploiting previously unseen backdoors in software and releasing stolen data from several structurally significant entities at once, attackers could trigger immediate financial and reputational damage across multiple large industrial players in specific regions.
Dashchenko emphasized the need for further discussion of all possible scenarios to avoid irreparable consequences for industrial sector businesses in the future. The topic requires a careful, comprehensive examination of safeguards and enforcement mechanisms to balance deterrence with practical risk management.
Remarkably, the Moon botnet once infected more than 46 thousand Wi-Fi routers across 88 countries, underscoring how quickly distributed devices can become entry points in critical networks. This context highlights why any new penalties framework must be paired with robust mitigation strategies and transparent, proportional enforcement.
(Source: Kaspersky ICS CERT)