Cyber Incident Victim: Yandex Food
Date:
Mar 2022
Location:
Russia
Summary
A data breach at Yandex Food, attributed to an employee, exposed personal details including emails, phone numbers, delivery addresses, and order histories of over 58,000 users. The leak compromised Russian security and military personnel who used official email addresses and ordered deliveries to sensitive facilities, revealing operational details through delivery instructions. Investigators identified corruption leads, such as luxury properties linked to high-profile figures. Russia's communications regulator imposed fines and restricted access to leaked data, while public criticism prompted threats of collective lawsuits and calls for improved cybersecurity measures. The company confirmed no financial or login credentials were compromised but faced scrutiny over inadequate data protection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2022, Russian tech company Yandex confirmed a data breach affecting its Yandex Food delivery service, attributing the incident to an employee’s "dishonest actions." The breach exposed personal information of over 58,000 users, including names, phone numbers, delivery addresses, order histories, and email addresses. Notably, the leaked data did not include banking details, payment information, passwords, or registration credentials according to Yandex’s March 1 statement. On March 22, an online map publicly displayed the compromised customer data, prompting Russia’s communications regulator Roskomnadzor to restrict access to the map and initiate administrative proceedings against Yandex Food for violating personal data laws, with potential fines up to 100,000 rubles ($1,020).
Analysis by investigative group Bellingcat verified the authenticity of the leaked dataset through cross-referencing with independent sources such as social media profiles and other leaked databases. The data revealed orders placed by Russian security service personnel and military members, some using official government email addresses for deliveries to sensitive locations. Specific examples included orders to the GRU headquarters in Moscow, the FSB’s Special Operations Center in Balashikha, and military unit 3792 (the 681st Special Motorized Regiment of Rosgvardia). Delivery instructions often contained operational details, such as checkpoint protocols for restricted facilities. The leak enabled investigators to identify previously unknown contacts linked to high-profile cases, including an individual who communicated with FSB officers during Alexey Navalny’s poisoning operation and a GRU-linked person who ordered food to a Ministry of Foreign Affairs-owned address. Public fallout included widespread criticism on social media platforms like Twitter and Telegram, threats of legal action, and digital rights group Roskomsvoboda preparing a collective lawsuit against Yandex for inadequate data protection. The incident also facilitated corruption investigations, such as the identification of a 170-million-ruble apartment allegedly connected to Vladimir Putin’s reported daughter through food delivery records. Yandex issued a public apology but declined further comment on regulatory actions.