Customer and Parcel Data from SDEK Found to be Publicly Accessible

Concerns Raised Over CDEK’s Cyber Security After Customers’ Data Surfaces Online

CDEK, a popular courier service in Russia, recently announced that it was resuming operations after a significant service outage, during which most of the delayed parcels have been delivered. However, it is now apparent that the company might not have entirely fixed security vulnerabilities in its infrastructure. This is suggested by the appearance of some CDEK customers’ data online, related to parcels sent in April.

Customer Data Available on Google Services

Cybersecurity experts discovered several links to Google services, such as Google Sheets, which contain CDEK client data from April. This data includes consignment numbers, package descriptions, weights and images, as well as the names of CDEK divisions and senders (individuals and businesses). According to a source, links to these spreadsheets can be found in the public domain on third-party resources.

CDEK’s Response

CDEK assured that their clients’ personal data is stored in a secure database. They claimed that the publicly available data could have been instructions for staff, action templates for standard situations, and other similar information. “We have no reason to believe that a data breach has occurred,” says a CDEK representative.

No Notification of Data Leaks by CDEK

Last month, Roskomnadzor, the Russian regulatory authority, reported that CDEK had not been notifying it about any data leaks. There has been no comment from the department regarding information about the publication of the delivery service’s client data being publicly accessible. It is important to mention that in 2022, a database containing the details of over 9 million CDEK clients was reportedly put up for sale by malicious actors.

Related Posts