Russia's Black-Market Data Trade

Interesting story on the market for data in Moscow:

This Gorbushka vendor offers a hard drive with cash transfer records from Russia’s central bank for $1,500 (Canadian).


At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company’s list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?

The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.

I don’t know whether you can buy data about people in other countries, but it is certainly plausible.

Posted on July 6, 2005 at 6:10 AM25 Comments


Dan Linder July 6, 2005 8:45 AM

I agree with “A. Reader” — how is this really any different than other data-consolidation / data-mining companies that are based here in the USA?

Yes, the data that one can purchase in Moscow might be an illegitimate copy from a metropolitan database, but the information it contains is still the same.

Afterall, data is data whether it came from a black-market vendor or a major data-aggregator.

Anonymous July 6, 2005 8:53 AM


The differance?
The russian data is probably cheaper and more accurate.

Dave Harmon July 6, 2005 10:12 AM

Bruce, identify data is the least of Russia’s black markets. A friend just told me about a TV show he saw documenting the purchase there of a 19 year old girl….

chuck July 6, 2005 10:15 AM

Correction! Correction! Correction!

To clarify what we’re dealing with: on sale is the database stolen from the backup tapes of The Central Bank clearinghouse FOR THE MOSCOW REGION. Meaning it only holds data on transactions involving a) just companies based in Moscow (tax id starting with 77), b) only inter-bank transactions (xfers inside the same bank will not show up there) and c) only xfers in Russian rubles are shown (no data on currency xfers). It’s still not very pleasant to have this sort of transparency, but it’s far from “Big Brother Is Watching??? theme played by journalists. Also, on sale is the entire database of customs declarations. Data on individuals (e.g. passport database) is available just for some reasons (there isn’t a central database in Russia, thank god).

Davi Ottenheimer July 6, 2005 10:36 AM

@A. Reader

Well said. The ChoicePoint CISO claimed his company was not officially “hacked” because it willingly sold identity information to a criminal. This link to fraud has obviously been widely discussed as bad for consumers and bad for the US economy, but here is the international connection (from 2003):,11502,949607,00.html

“Governments across Latin America have launched investigations after revelations that a US company is obtaining extensive personal data about millions of citizens in the region and selling it to the Bush administration.

Documents seen by the Guardian show that the company, ChoicePoint, received at least $11m (£6.86m) last year in return for its data, which includes Mexico’s entire list of voters, including dates of birth and passport numbers, as well as Colombia’s citizen identification database. “

Davi Ottenheimer July 6, 2005 10:50 AM


Very true as well. The Florida election never recovered from ChoicePoint’s erroneous lists that showed tens of thousands of “possible felons”. But accuracy was not the point, as the Guardian article (cited above) recounts:

“James Lee, a vice-president of ChoicePoint, told Newsnight that Florida, governed by Mr Bush’s brother Jeb, had made it clear that it ‘wanted there to be more names [on the list] than were actually verified as being a convicted felon’. Mr Bush’s eventual majority in Florida was 537.”

With regard to the cost of purchasing identity data in the US, the Guardian article also explains that “In Mexico, the president of the federal electoral institute, Jose Woldenberg, revealed that his investigators had talked to the Mexican company that said it paid a ‘third person’ 400,000 pesos (£24,500) for a hard disk full of personal data drawn largely from the electoral roll. It sold this to ChoicePoint for just $250,000, indicating the huge profitability of ChoicePoint’s contracts – last year’s $11m payment was part of a five-year contract worth $67m.”

So there you have it in black and white:

US$50K for a disk in Mexico that is sold for US$250K to ChoicePoint, which is then sold to the government for millions.

Davi Ottenheimer July 6, 2005 10:56 AM


Per yesterday’s blog entry, you simply confirm what is publically acknowledged. This does not correct the points made above about what is or could be “on sale”.

In other words, can you help explain with certainty that there are no other data leaks to the (black) market, or that Muscovites are not the only ones who should be concerned?

user foo July 6, 2005 11:02 AM

You can also DOWNLOAD(!) databases of major mobile companies (which provide service for about 70% of russian cellphone users, search for MTS and Beeline, in eMule), Moscow City Telephone Systems (provides service for ALL of Moscow phone owners, search for MGTS) or road police (search for GIBDD) .
Interesting info about russian goverment people is also included. Most of them own the only Russian cheap car for about $4.000.

Anonymous July 6, 2005 11:58 AM

And remember, if you don’t feel like getting verified yourself to look up choicepoints data, $100 in e-gold (anonymous and non-reversible) will get you pretty much anything you wish to know about a person in minutes via ICQ from the proper contact (that’s a complete credit report, with full account numbers, a ssn lookup if you don’t know it, etc).

Arik July 6, 2005 1:40 PM


The ChoicePoint CISO claimed his company was not officially “hacked”

Oh yes it was. It’s called “Social Engineering”.

— Arik

SicV July 6, 2005 3:50 PM

It is hardly news. We had the similar type of data from a stolen Moscow phone database since 1993. In Russia nobody really expects privacy.

Davi Ottenheimer July 6, 2005 4:43 PM

Thanks for the link. To be fair, it seems that Equifax CEO Thomas Chapman is arguing that it is un-American to regulate a company, even when it means requiring data security (confidentiality and integrity) requirements be placed above profitability.,1848,68030,00.html?tw=wn_tophead_1

But based on the Wired article he actually appears to admit that selling potentially-false or misleading information may very well be the foundation of Equifax’s $1.27 billion in revenue last year. Even more surprising is that Wired suggests that he alludes to breaches that have not been disclosed. In sum, the article seems to try and confirm the ChoicePoint dilemma, which states that if you suddenly require the data warehouses to operate securely (and make them liable for all the lives they have ruined, or will ruin), they might have a problem sustaining their recent boon years of profitability.

I find it hard to believe that a CEO like Chapman would come out with such a vituperative stance on this topic, especially given all the obvious bad press that will result. Consider the latest warning shot fired by the Economist:

“Surely it should be obvious to the dimmest executive that trust, that most valuable of economic assets, is easily destroyed and hugely expensive to restore—and that few things are more likely to destroy trust than a company letting sensitive personal data get into the wrong hands.”

Perhaps Chapman did not get the memo…?

Rob Mayfield July 6, 2005 11:32 PM

@SicV makes a very relevant point “In Russia nobody really expects privacy.”.

If you dont get it, but dont want and/or expect it, in your world you are much better off than someone who doesnt get it, but does want and/or expect it. Obviously there is an undercurrent of whether an individual should by some right be able to expect it, but that gets more into politics and religion than security.

Personally I’d be surprised if theres anywhere on the planet where it’s not possible to buy data about other people. In these times, personal information isnt. To assume that everyone to whom you divulge personal information has both the ability, desire and committment to respect and protect it’s privacy is to delude yourself, no matter where you are.

As Bruce said, it’s an “interesting story”.

Davi Ottenheimer July 7, 2005 1:12 AM


Did you mean nobody expects privacy when in Russia, or that nobody in Russia cares about privacy or other human rights?

Sergei Smirnov recently noted:

“‘The biggest problem is indifference of Russian citizens to their rights, ‘legal nihilism’. If we talk about digital rights, especially privacy, many people (including some of our colleagues) reply ‘I don’t care about someone reading my personal data since I’ve nothing to hide’ or ‘You’ve no chance to protect your rights in this country’.”

More information can be found here:

Note the section on “liability for invasion of privacy”:

blankmeyer July 7, 2005 7:54 AM

Seriously, is anyone actually surprised by this story? I mean you have to figure that criminal organizations worldwide would traffic personal information in this manner. I’d imagine you could go into any major city and find a place to by such data at cheap prices (Ok, maybe not quite that cheap, but cheap in the spectrum of what you get by using the info you purchase).

NOT THE RUSSIAN MAFIA October 4, 2006 8:04 PM


Seattle1 October 15, 2006 3:21 AM

come on…wake up! there is so called “black market’ trading in all countries, all times in history.
half the worlds merchants and trading business can easily be considered “black market” relax…it has been a part of the human experience since organized societies have been in existance.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.