Rostelecom, one of the leading telecommunications companies in Russia, recently acknowledged the possibility of a data breach affecting its systems as well as the information of its users. The announcement, made on January 21, 2025, has raised significant concerns about the security of customer data and the quality of protection offered by third-party contractors.
The company indicated suspicions of this data leak stemming from vulnerabilities within one of its contractors' infrastructures. "We have previously recorded incidents of information security with one of our contractors who services these resources. It is most likely the leak occurred from the contractor's infrastructure," Rostelecom stated in a report to the news agency TASS.
According to the reports, the hack could be linked to the group known as Silent Crow, notorious for its significant breaches. Leading information security monitoring sources noted the breach could have compromised about 154,000 unique email addresses and roughly 101,000 unique phone numbers.
The leaked data allegedly includes contact information of individuals who interacted with Rostelecom’s service platforms, but early investigations suggest there were no particularly sensitive personal data leaks. Rostelecom reassured users, stating, "Preliminary data indicates no leak of sensitive personal data occurred. But we recommend users reset their passwords and enable two-factor authentication where possible.”
This incident has heightened awareness within Rostelecom and among its officials about the necessity of strengthening cybersecurity protocols. Anton Antropov, the Chief Technology Officer at IT Task, expressed concerns about the mindset surrounding security at corporations: "What we are observing is classic risk management thinking—'why protect everything when we can just safeguard the important parts?' It’s often the least considered parts, like feedback forms, where people leave real names, emails, and phone numbers, which hackers exploit."
Responding to the incident, the government department responsible for postal services, the Ministry of Digital Development, communicated confidence about the security of Russia’s state service portal, emphasizing it was not impacted by the breach. They affirmed all data held by government agencies was under reliable safeguards.
Rostelecom reiterated its commitment to investigating and strengthening its data protection measures following the breach. The company confirmed they are thoroughly analyzing the compromised database to determine the specific content and the extent of the data leak. "The resources mentioned are not intended for servicing individual clients. No personal data of private clients is stored or processed on these sites," they reiterated to the media.
The breach has sparked wider discussions about the security of personal data across various sectors. Earlier statements made by Sberbank implied alarming statistics about data leaks, noting around 90% of the adult population may have had their personal information exposed to the public domain.
This recent incident with Rostelecom isn’t isolated; it follows closely on the heels of other security breaches reported across the telecommunications sector, raising questions about systemic vulnerabilities within contracted services. Only weeks before, another provider, Nodex, faced severe infrastructure issues due to similar cybercriminal activities. Such incidents contribute to the increasing concern about data safety from hackers and the rising tide of cybercrime.
Given the recent developments, users are urged to remain vigilant about the safety of their personal information. Experts recommend changing passwords frequently and using multi-factor authentication wherever feasible to increase overall security.
With the investigation still underway, Rostelecom is working collaboratively with authorities and cybersecurity specialists to reinforce their defenses against future security breaches, recognizing the growing threat posed by cybercriminals.
The public's response to these incidents will likely shape future regulatory strategies aimed at protecting user data rights and ensuring companies hold responsibility for data security.