Get best of the week

Landing Digest. Information Security Specialist

Spring, quarantine, and quenched seedlings on the windowsill inspired a funny name for the post. But its contents are quite serious. I work in SearchInformand before, quite often I heard the opinion that the DLP system and the court are incompatible concepts. Like, this game is not worth the candle. So it was about 9 years ago, when the main reason for the reluctance to go to court was the “paper” unpreparedness of the company regarding the Pre-DLP stage. Another reason was the uncertainty (sometimes justified) that the court would not want to delve into the intricacies of protecting information with the help of specialized software. However, in the last couple of years this position has been voiced less and less. It became interesting whether the situation in the courts had changed or if people were just tired. Therefore, with the approval of the leadership, my colleague and I sat down for the search and analysis of cases that in 2019 were examined by the courts under four articles of the Criminal Code of the Russian Federation on the manipulation of computer information. Results under the cut.

We were interested in cases of fraud with documents, databases and any confidential information using official position.

These are violations under the articles of the Criminal Code of the Russian Federation:

  • 183 (part 2 and 3) - illegal receipt and disclosure of information constituting a commercial, tax or banking secret;
  • 272 (parts 1, 2 and 3) - unlawful access to computer information;
  • 159.6 (part 3) - fraud in the field of computer information;
  • 138 (Part 2) - violation of confidentiality of correspondence, telephone conversations, postal, telegraphic or other messages.

And here I would immediately like to outline a few points:

  1. ? . . () , . , .
  2. ? 262- , ( ). , , – . sudrf.ru .
  3. How complete is the study? Complete as much as possible. Firstly, materials on public resources are not published immediately. Delay from about a month. Secondly, part of the cases during the consideration passes into a different legal status. Thirdly, there are appeals. Therefore, in 2019, there are both things “born” from past years, and those that were started, but moved to 2020. Finally, fourthly. There are charges with several articles at once. For example, Art. 138 often “walks in a pair” with art. 272. As a result, we attributed such cases as part of the statistical calculation to both groups.

In general, the goal of pretending to be academic was not originally intended. Nevertheless, in each case, the information has been double-checked and more than once, outlined from the huge sheet of the legal language into the paragraph of the human - in essence. Go.


Most of the claims were brought against violators from the telecom industry, accounting for about 70% of cases. But this situation is mainly due to the mass violations in accordance with Article 138 (Part 2) - violation of the secrecy of correspondence. Telecommunications operators and their "daughters" sue employees for unlawful access to information on call detailing.

The circumstances of the cases are usually very similar. Employees access data without official need because of a desire to sell information about the negotiations of subscribers (the so-called “breaking through”). There were fewer cases of “drain on friendship,” when the motive for action was the desire to selflessly help a friend. Employees of communication salons \ telecom operators often go outside - they ask for information for a fee. As a rule, very modest - no more than a few hundred rubles.

Also often employees from the telecom sector are judged according to Article 272 (parts 1, 2, 3, illegal access to information) . The most common scenario is to make changes to the database in order to replace the SIM card. This state of affairs is not at all pleasing, because the employee makes manipulations with the information, as a rule, with the aim of withdrawing money from the subscriber’s account ( as in this case ) or for a fee at the request of a third party ( as here ).

image

Distribution of claims by industry, Article 272

There are other motives. In one case, the convicted woman re-released the SIM cards of the clients she knew “out of revenge and hostility”: she went to their accounts on social networks, where she posted compromising information.

Several sentences were imposed in respect of employees who, in revenge, deleted or spoiled information on the websites of their organizations.
After the dismissal, the IT specialist of the district court logged in to the site management system using someone else’s password, changed access and deleted information there (645 events are mentioned regarding deletion, including entire sections). By the way, the violator found the password right at the workplace - it was written down on a piece of paper left in the server room. The convict was sentenced to six months of corrective labor with a deduction of 10% of earnings in state revenue ( reference to his case ).
Under other articles, the circumstances of the incidents are not so uniform. According to 183 Art. (Part 2 and Part 3, disclosure of commercial, tax or banking secrets) also often condemn employees of telecom operators and employees of communication salons (40%), but the same amount is brought in court by representatives of the banking sector.

, . ( ) , , , , . , 514 110 . , . , , , «» . , .. : , . , (link to the case ).

image

Distribution of claims by industry, Article 183
According to Article 159.6 consider cases related to the modification of information - files, databases. Last year, 79 decisions were made under this article, but not enough texts were published on public access violations, so it is difficult to draw conclusions about typical cases that brought employers to court.

The most notable case, the information on which is published, is the story of an employee of the Ulyanovsk branch of a large federal bank. In the program for working with customer’s payment cards, he several times increased the limit on his own card, and later on the accomplice’s card. At first, the amounts were small, then they grew up to 25.9 million rubles.

Eloquent dry legal text newsin local media about the “biggest cyber incident” in the region. Journalists described the process against an accomplice of a bank employee. He helped to withdraw money and bought six expensive cars (Audi, Volvo, Mercedes-Benz), gold bars, mobile phones and jewelry and other goods. He immediately sold all this wealth to legalize stolen funds. He was put on trial in January 2019. But we are interested in the process against the official. He was caught later, his trial took place in the summer ( link to the case ). They were given 5 years and 3 months in a penal colony and a fine of 250,000 rubles.

Business almost does not protect its interests


In our court statistics, we also tried to find cases for our customers that reveal details of corporate fraud when the company itself is the victim. Such cases are considered mainly under Article 183 (disclosure of trade secrets). There are such claims, but they are much more rare. Here are two examples:
An employee of an insurance company uploaded data from the system and transmitted information to a competing company by corporate mail. In total, the court’s decision refers to 45 episodes. The court dismissed the case by imposing a fine of 10 thousand rubles. In a similar lawsuit against an employee of a manufacturing company, the punishment was 1.5 years of correctional labor with 20% of earnings in state revenue (reference to the text of the first case and the second ).

image

Distribution of claims by industry, data on 4 articles

It turns out that companies are much more willing to go to court under the threat of image risks, when the “face” can seriously suffer. They prefer to defend their interests in the pretrial order; most simply dismiss violators (60% according to our research ).

Penalties


image

Punishments under Art. 272 (part 1, 2, 3), 183 (part 2, 3), 138 (part 2)

With regard to punishments, it is noteworthy that for crimes related to the transfer of personal data and the details of negotiations, they punish quite easily. Often, sentences refer to Article 73 of the Criminal Code of the Russian Federation (Conditional conviction). And although there is no specific indication of the paragraph, they most likely refer to paragraph 2: When imposing a conditional sentence, the court takes into account the nature and degree of public danger of the crime committed, the identity of the perpetrator, including mitigating and aggravating circumstances. The logic, apparently, is this: the violations were committed "out of stupidity" or out of a small self-interest, and the punishment is, as it were, educational in nature. But these things are deceptively harmless. Persdan is interested in an unlimited number of intruders and can "walk" in the public domain indefinitely.

image

The use of a fine as a punishment within the framework of a guilty verdict under the articles

But what the court treats much more carefully is the drain and unauthorized access that are connected or may lead to a change in personal information, theft of money from accounts. So, according to Article 272, it is much more often that they appoint not a fine, but a suspended sentence or restriction of freedom. But the proportionality of the fine and punishment raises questions here. Here is an example.
One of the smallest fines - 5 thousand rubles - was assigned by the court to the FMS officer, who, at the request of a friend, deleted criminal record information from one card of the Migrant-1 base. He was able to do this from home, using remote access to the database ( case ).
For the remaining three articles, the most frequent decision is to dismiss the case and impose a fine from 8 to 110 thousand rubles (the defendant pleads guilty, pays a fine, does not receive a criminal record). Most often, the court freed from criminal liability those who were tried under Art. 138, part 2 - violation of confidentiality of correspondence. Under this article, a judicial fine was awarded in 63% of cases.

If the case was brought to a verdict, then here the fine turned out to be the most common punishment - in 31% of cases. Judges were punished a little less with a suspended sentence and restriction of freedom - in the amount of 29% of cases. The real term is provided as a punishment for all the articles under consideration. But the judges almost never apply it. In the cases examined, they met sanction only once, in the case of the withdrawal of 25+ million rubles from the bank (the story was mentioned above).

Total


Conclusions can be made different. For example, that life, as always, is richer than any fiction: curiosity, self-interest, revenge, stupidity, mistake - motives by which people encroach on other people's information.

My colleague and I, with our "iBesh" considerations. For the whole of 2019, we counted 327 cases in the courts in all four articles in parts that were indicated at the beginning of the post. If we rely on the data of the annual survey-study from the company, which says that only 12% of the companies go to court, the total number of claims is obviously , could be much larger.

Do companies want to go to court? Yes and no. They go to court either to support the image of the good and fair, or when hype rises and inaction becomes more expensive for oneself.

More articles:


All Articles