Russian secret police details surface in delivery app data leak

A Yandex delivery rider [via Dmitry Limonov/Pexels]

A data leak has demonstrated the potential dangers of collecting user data, after the discovery that information linked to Russia's security forces has allegedly surfaced in the delivery app data cache.

Yandex Food, a food delivery app operating in Russia, was the subject of a major data leak, with the company confirming the incident on March 1. At the time, the subsidiary of tech giant Yandex said the phone numbers and customer information about orders were published online, with the data including the composition of orders, delivery times, and other information.

The leak was said by Reuters to have involved the exposure of approximately 58,000 users of the app, Reuters reports, allegedly caused by a rogue employee. Regulator Roskomnadzor clamped down on the breach, blocking access to the map and the data from view.

Despite the attempt by the regulator to protect the list, the data has been scoured for information, with some interesting results. According to Bellingcat, investigators found potential leads for further corruption investigations, among other details.

For example, researchers believe they found one person linked to the poisoning of Alexey Navalny, the Russian opposition leader, who used his work email address to register.

Searches related to the Russian GRU's HQ, the country's foreign military intelligence service, found four results, while a known Federal Security Service (FSB) Special Operation Center in Moscow raised 20 results. The records for the latter also include unusual instructions to the drivers, such as passing certain number of boom barriers and checkpoints, and calling before arrival.

Another record was found to be an order placed by someone at an apartment supposedly occupied by a "secret" daughter and ex-mistress of Russian President Vladimir Putin.

Despite the potentially sensitive nature of the data raided in the breach, as well as the attempt to prevent the information from being distributed, Yandex Food may not face a hefty fine. The regulator said that Yandex faced a fine of up to 100,000 roubles (up to $1,020) over the breach.

Yandex is a potential goldmine of data for surveillance. A March 29 report into Yandex determined analytics code produced by the tech company is embedded in 52,000 apps on iOS and Android, which can potentially collect data on millions of users.

Yandex claims it has a "very strict" process for dealing with requests for data from the government. However, security experts say that once the data reaches Russia, Yandex can do very little to prevent the government from obtaining it.