Internet Shopping Data Compromised

A third Internet leak in just a week has exposed the private shopping habits of people at more than 80 online stores, including those selling model cars, perfume and sex toys.

The leak was first reported by Internet security company Informzashchita, which e-mailed instructions on how to find data about shop orders in a Yandex search engine cache to several media outlets.

A Yandex query had to be formulated with complex search syntax to display the private data, all but ruling out that a casual web surfer could stumble upon the information. But simple queries entered into four other search engines — Google, Bing, Mail.ru and Rambler — also led to cached pages with order data.

Most orders appeared quite innocent, ranging from perfume to model cars. Some of the racier purchases appeared to have been erased by the search engines Tuesday afternoon. Still among the results were orders at the sex store Sexyz.ru, including a male customer's purchase of lace lingerie.

Yandex in an e-mailed statement blamed poor security at the Internet shops for the leak. Of the other search engines, only Bing's owner, Microsoft, commented, also saying that all search engines only indexed online information not marked as private, Vedomosti reportedon its web site.

More than 80 online shops were affected by the leak, the Federal Mass Media Inspection Service said in a statement, adding that information on shops with poor online security measures would be forwarded to prosecutors.

Last week, a similar cache leak at MegaFon allowed some 8,000 text messages, sent by its clients through its web site, to appear online. The federal media watchdog has filed a breach of privacy lawsuit against the mobile phone operator, which faces a modest fine of 40,000 rubles ($1,450), Itar-Tass reported Tuesday.

Bloggers found another leak at EMS Russian Post that allows information about clients to appear in the cache of search engines.

The sudden slew of leak reports has prompted speculation that companies working in personal data protection are deliberately searching for online privacy breaches.

Informzashchita, which offers online security, might have sought publicity in reporting the leak, its former employee Sergei Gordeichik, now the technical director at Positive Technologies, said by telephone Tuesday.

His stance was echoed by Igor Ashmanov, a managing partner at Ashmanov & Partners, who told Cnews.ru on Monday that IT security firms might have "searched for vulnerabilities in Yandex or Google for publicity's sake" following the MegaFon leak.

Informzashchita spokeswoman Varvara Shubina said it was "the task of any expert in the field of information security to inform the public about threats appearing in this field."

New legislation that came into force this month introduces tighter guidelines for the protection of personal data and, IT industry representatives said, makes the task more costly.

Read more