The information that the agency proposes to collect may be of interest to fraudsters.
The Ministry of Transport proposed to expand the list of passenger and crew information that carriers should transfer to a single database — from September 1, it may include data on bank cards, IP addresses, phones, email addresses and account passwords.Data should be transmitted by carriers on air, water and rail transport, as well as by motor transport for trips between cities and to other countries. They will be supplied to the unified state information system for ensuring transport security (EGIS OTB), which is accessible, among others, by the Federal Air Transport Agency, Rostransnadzor, the Ministry of Internal Affairs and the FSB.Now carriers must transfer passport data and ticket information to a single database. The Ministry of Transport proposes to include in the list, among other things, the information specified when booking and purchasing a ticket (Passenger Name Records, PNR), as well as the last four digits of the card on which the ticket was paid, the name of the bank, the ticket price and the class of service. This data will be stored for seven years.The mechanism for providing expanded information about passengers “in the interests of ensuring their safety in the face of terrorist threats” is provided for by amendments to the Convention on International Civil Aviation, which were introduced at the end of 2022, Deputy Transport Minister Dmitry Bakanov told reporters.”The legislation of a number of countries already requires airlines, in case of flights to airports in these countries or through their territories, to provide the authorized authorities of these countries with expanded information about passenger reservations,” he said through the press service. — The list of information proposed for regulatory regulation by the Ministry of Transport of Russia is less than that required by many other countries. At the same time, the new order does not oblige carriers to collect additional information about passengers, in addition to that indicated by the passenger when buying a ticket. Such a list of information is provided only if it is actually recorded in the airline’s information system.”The Association of Air Transport Operators (AEVT) notes that some of the data specified in the draft of the Ministry of Transport — including the login and password of the account — is “confidential information” that cannot be disclosed without the consent of the passenger himself. This is stated in the AEVT’s review of the project.The review also indicates the technical difficulties of executing the order. In particular, it says that the need to transfer PNR data within 15 minutes after ticket transactions are registered is “a difficult task for both Russian and foreign carriers using various booking systems.” AEVT asked the Ministry of Transport to finalize the project.The information that the agency proposes to collect may be of interest to fraudsters. “The more information is collected, the more negative consequences there may be in the event of a leak,” Smartavia agrees.The interlocutor of the newspaper in the domestic booking system added that it stores a minimum set of data about the passenger and the trip, a large amount of legal work is associated with the need to expand the list of information collected, however, a newspaper source close to the Ministry of Transport said that the project would no longer be finalized. According to him, the new data will allow us to calculate intruders “from smugglers to terrorists.”Companies have become more likely to hide leaks of personal data, Vedomosti reported in February. Kaspersky told the newspaper that over the past year, the number of leak ads has decreased by 8%, while the number of published rows of user data, on the contrary, has increased by 24%. Experts attribute the companies’ desire to hide leaks to the discussion of draft laws on turnover fines and criminal liability for such violations.In December 2023, two bills were submitted to the State Duma, which propose to toughen the punishment for personal data leaks. The document provides for amendments to the Code of Administrative Violations and the Criminal Code. According to the proposed amendments to the Administrative Code, the fine for legal entities and individual entrepreneurs for the leakage of personal data will range from 3 million to 15 million rubles, depending on its volume. Repeated leaks face even greater punishment — a fine of up to 3% of revenue for a calendar year, but no more than 500 million rubles.The amendments to the Criminal Code provide for up to eight years in prison for those who export the data of Russian citizens abroad for sale or transfer. If the leak caused harm to the life and health of citizens, as well as public safety, or if we are talking about organized crime, then “this is already 10 years in prison,” one of the authors of the bill, secretary of the General Council of the United Russia party Andrei Turchak, noted in his Telegram channel. Criminal liability is also provided for those who do business on stolen data — up to five years in prison.The draft law on revolving fines for leaks has been criticized by the Big Data Association (unites Yandex, VK, Sberbank, Gazprombank, Tinkoff Bank, Rosselkhoznadzor, Megafon, Rostelecom, QIWI, Beeline, MTS, Avito, Skolkovo Foundation, Analytical Center under the government, VTB, Center for Strategic Research).
