The personal data of 25 million customers and 30,000 counterparties of the Russian express delivery operator CDEK could have been made public. The Telegram channel “Information Leaks” was the first to report the leak, later a company representative confirmed this to RBC.
SDEC PR director Anna Iospa told the publication that an internal investigation is underway, the circumstances are being clarified. She declined further comment.
Three files with the data of the company's clients were made publicly available. The first one contains 160 million records, it contains full name, recipients' email addresses, sender's company name, sender/recipient ID, pickup point code. The second file with 30 million lines contains information about individuals and legal entities (full name/company name in Russian and English, phone numbers, e-mail address, postal address, etc.). The third file contains more than 90 million lines with phone numbers, sender/recipient identifiers.
At the end of February, another SDEK leak occurred, which contained the ID file, phone numbers, full name. and email addresses. SDEK officially confirmed the fact of the leak, but stated that the database does not contain document numbers and other important personal information, including payment information. Sergey Trukhachev, head of the Infosecurity special services block, said that together with the previous leak, data from tens of millions of customers were leaked from CDEK, which could become a "record on the Russian market." He warned that in the near future, the attackers would analyze and combine both leaks and form one of the largest illegally obtained bases of Russian citizens. Alexei Kubarev, an expert at the RTK-Solar Dozor Product Center, also said that the leak claims to be the largest in 2022. He calculated that data of up to 30% of Russian Internet users could be in this leak.
Previously, hackers put up for sale the data of more than 9 million customers of the express delivery service CDEK. The base cost 70 thousand rubles and contained information about the delivery and location of goods, as well as customer data: their last names, first names, patronymics and TIN. The CDEK company denied the leakage of customer data. A company representative said that many aggregators, including government ones, collect this data, which means that a leak could have occurred on any of these resources.