129 Million Car Owners From Moscow Had Their Data Exposed Online

• Someone is selling an extensive collection of data belonging to Russian car owners on the dark web.
• The dump contains the full identification details and car technical and registration data of 129 million people.
• There has been news about other police data having been leaked online recently, so the cases are likely connected.

Someone is selling the personal data of 129 million car owners in Moscow, Russia, on a dark web forum. The seller has leaked a sample of the dump to help prospective buyers verify the validity, claiming that the car details are the same as the traffic police ones. The sample doesn’t contain any owner names, but it has car makes, models, place of registration, and the dates of the first and last registration that concerns them.

The amount of money that one has to pay for the dump was set at BTC 0.3, which is the equivalent to roughly $2,900. The buyer would supposedly get details such as the car owners’ full names, physical addresses, passport numbers, dates of birth, and contact information. The seller has placed a limit of three buyers (or one spending five times the amount), so there’s some exclusivity to the offer.

According to local news outlets, a car-sharing company found some of its cars in the 83-files sample and confirmed the validity of the published data. This increases the chances of the full database consisting of real data and not made-up entries, although this cannot be said with absolute certainty for now. However, there’s another element that supports the seller’s claims, and, by extension, increases the chances of the sale being real.

Recently, there have been reports about Russian citizen data being offered for sale on dark web marketplaces. This data seems to derive from self-isolation violation fines issued in Moscow. Thus, the police there may have suffered an undisclosed or even undiscovered data breach. The data contained the correct unique accrual identifiers used in the police’s ticketing system, so the pieces fit. The same dump included full names, passport numbers, and partial payment details.

Experts believe that, apart from the chances of this being a case of a direct database breach, it could also be the work of data aggregators planted on the online payment forms where booked citizens go to pay their fines. Whatever the case, there’s a problem regarding the protection of people’s data, and the law enforcement authorities are responsible for it. Finally, those who have appealed to Roskomnadzor haven’t received any compensation from the regulator, while the “lawsuit” path is unlikely to yield anything before a full decade passes by (typically). This is a pretty dire situation the Russian citizens are stuck in. Hopefully, the country's authorities will do something about the lack of security that plagues their systems.