A third Internet leak in just a week has exposed the private shopping habits of people at more than 80 online stores, including those selling model cars, perfume and sex toys.
The leak was first reported by Internet security company , which e-mailed instructions on how to find data about shop orders in a Yandex search engine to several media outlets.
A Yandex query had to be formulated with complex search syntax to display the private data, all but ruling out that a casual web surfer could stumble upon the information. But simple queries entered into four other search engines — Google, Bing, Mail.ru and Rambler — also led to cached pages with order data.
Most orders appeared quite innocent, ranging from perfume to model cars. Some of the racier purchases appeared to have been erased by the search engines Tuesday afternoon. Still among the results were orders at the sex store Sexyz.ru, including a male customer's purchase of lace lingerie.
Yandex in an e-mailed statement blamed poor security at the Internet shops for the leak. Of the other search engines, only Bing's owner, Microsoft, commented, also saying that all search engines only indexed online information not marked as private, Vedomosti on its web site.
More than 80 online shops were affected by the leak, the Federal Mass Media Inspection Service said in a , adding that information on shops with poor online security measures would be forwarded to prosecutors.
Last week, a similar cache leak at MegaFon allowed some 8,000 text messages, sent by its clients through its web site, to appear online. The federal media watchdog has a breach of privacy lawsuit against the mobile phone operator, which faces a modest fine of 40,000 rubles ($1,450), Itar-Tass reported Tuesday.
Bloggers found another leak at EMS Russian Post that allows information about clients to appear in the cache of search engines.
The sudden slew of leak reports has prompted speculation that companies working in personal data protection are deliberately searching for online privacy breaches.
Informzashchita, which offers online security, might have sought publicity in reporting the leak, its former employee Sergei Gordeichik, now the technical director at Positive Technologies, said by telephone Tuesday.
His stance was echoed by Igor Ashmanov, a managing partner at Ashmanov & Partners, who Cnews.ru on Monday that IT security firms might have "searched for vulnerabilities in Yandex or Google for publicity's sake" following the MegaFon leak.
Informzashchita spokeswoman Varvara Shubina said it was "the task of any expert in the field of information security to inform the public about threats appearing in this field."
New legislation that came into force this month introduces tighter guidelines for the protection of personal data and, IT industry representatives said, makes the task more costly.
A Message from The Moscow Times:
Dear readers,
We are facing unprecedented challenges. Russia's Prosecutor General's Office has designated The Moscow Times as an "undesirable" organization, criminalizing our work and putting our staff at risk of prosecution. This follows our earlier unjust labeling as a "foreign agent."
These actions are direct attempts to silence independent journalism in Russia. The authorities claim our work "discredits the decisions of the Russian leadership." We see things differently: we strive to provide accurate, unbiased reporting on Russia.
We, the journalists of The Moscow Times, refuse to be silenced. But to continue our work, we need your help.
Your support, no matter how small, makes a world of difference. If you can, please support us monthly starting from just $2. It's quick to set up, and every contribution makes a significant impact.
By supporting The Moscow Times, you're defending open, independent journalism in the face of repression. Thank you for standing with us.
Remind me later.