Assessment of the risks of personal data leakage from through supplier channel attacks

Objective. The problem of personal data (PD) protection continues to be relevant even despite the more than significant amount of regulatory documentation developed by various regulators. The aim of the study is to develop methods for assessing the risk of personal data leakage from malicious attacks through supplier channels.

Method. The presented paper examines the problem of protecting personal data in information systems of universities through third–party channels – service providers (supply chain attack), which, in most cases, have not been sufficiently studied by experts in the field of IT-security.

Result. Unlike the well-known "commercial" proposals providing for the introduction of new and new countermeasures (limited only by the budget), it is proposed to apply the method of assessing the risks of PD leakage through all existing PD circulation channels, and not only for the simplest formalized fulfillment of the requirements of the PD owner. The focus of the presented work is on ensuring the protection of PD for Universities in the Russian Federation, accordingly, several channels for the dissemination of PD in the main critical areas (provision of educational content, data of applicants and their representatives, requests from employers, etc.) were studied.

Conclusion. The presented results can be in demand both in the educational process for University programs in the specialty "Information Security", and by experts dealing with practical aspects of ensuring the protection of PD in Universities.

1. https://www.securitylab.ru/news/532395.php

2. https://www.verizon.com/business/resources/reports/dbir/

3. https://www.securitylab.ru/news/536418.php

4. https://www.securitylab.ru/news/539183.php

5. https://www.securitylab.ru/news/536310.php

6. https://www.securitylab.ru/news/547531.php

7. https://www.securitylab.ru/blog/personal/achekanov/92297.php

8. https://www.forbes.com/sites/sungardas/2014/09/04/youve-completed-a-vendor-risk-assessment-now-what/

9. https://www.tarlogic.com/blog/supply-chain-attacks/

10. https://www.infowatch.ru/analytics/analitika/issledovaniye-utechek-informatsii-v-otraslyakh-za-tri-goda

11. https://docs.cntd.ru/document/1200084141?ysclid=lwuuccw1n5461596370

12. https://docs.cntd.ru/document/1200170125?ysclid=lwuube9s8s433673326

13. https://www.rbc.ru/technology_and_media/28/05/2024/6655fc979a79477dbc9e33c4?from=from_main_2

14. https://www.cnews.ru/news/line/2024-06-10_glava_mintsifry_rossii_podderzhal

15. https://internet-law.ru/gosts/gost/73107/?ysclid=ly5sf3zra8363383699

16. https://internet-law.ru/gosts/gost/50679/?ysclid=ly5seejcc9653928983

17. https://xakep.ru/2024/06/28/au10tix-leak/

18. https://www.darkreading.com/cyber-risk/opentext-goes-all-in-on-cybersecurity-size-and-scale-with-microfocus-purchase

19. https://habr.com/ru/articles/825210/

20. https://www.iso.org/standard/80585.html

21. Emelyannikov M. Personal data protection in e-commerce. Open systems. DBMS. 2011;6:30 (In Russ).

22. Timerkhanova S.A. Personal data protection system in virtual infrastructure. Electronic means and control systems. Proceedings of the reports of the International scientific and practical conference. 2018;1-2: 92-96. (In Russ).

23. Bundin M.V. On the issue of monetization of personal data.In the book: Moscow legal forum online 2020. Collection of abstracts of reports: in 4 parts. Moscow, 2020;162-166. (In Russ).

24. Shchepetov V.V., Burdenko E.V. Personal data on the Internet: common risks and ways to minimize them. In the collection: Economic development in the 21st century: trends, challenges and prospects. Collection of scientific papers of the IX International scientific and practical conference "Horizons of Russia" April 23, 2021: in 2 parts. Plekhanov Russian University of Economics. 2021:172-184(In Russ).

25. Oreshkina A.S., Livshits I.I., Sokolov E.O. Legal problems of the activities of inspectors for the protection personal data: content, features, specifics for oil and gas holding companies. Gas industry. 2023: 4 (847): 96-104. (In Russ).

26. Livshits I.I., Livshits M.I. Application of national standards GOST R and international standards ISO 31000 series to ensure a modern level of risk management. Financial Risk Management. 2022; 4.:312-323. (In Russ).

27. Livshits I.I., Sokolov E.O., Lukyanova A.A. Circuit solutions for the practical implementation of secure electronic document management. Part 1. Analytical review. Gas industry. 2022; 9: 40-56(In Russ).

28. Livshits I.I., Sokolov E.O., Lukyanova A.A. Circuit solutions for the practical implementation of secure electronic document management. Part 2. New development. Gas industry. 2022;11: 50-70. (In Russ).

29. Livshits I.I. Practice of cyber risk management in oil and gas projects of holding-type companies. Cybersecurity issues. 2020;1 (35):42 - 51. (In Russ).