Cyber Incident Victim: CDEK

On or around May 14, 2020, a dataset containing personal information of approximately nine million customers of CDEK Express, a Russian courier service, appeared for sale on the internet. The data was offered at a price of 70,000 rubles (equivalent to approximately $950 USD). This incident represented the largest known personal data breach involving a Russian delivery service at that time. The compromised information included customer details collected through CDEK's transportation services, though the specific data fields exposed were not detailed in available reports. The listing attracted attention from cybersecurity observers due to the substantial volume of affected individuals and the commercial nature of the data being marketed.

CDEK Express publicly denied responsibility for the data leak, asserting that no breach had occurred within their systems. A company representative emphasized that multiple entities, including government aggregators, collect similar customer data during delivery operations. This statement implied the breach could have originated from third-party partners or intermediaries rather than CDEK's direct infrastructure. No additional technical details regarding the leak's origin, data collection methods, or forensic investigation were disclosed by the company. The incident highlighted systemic risks in data handling practices across Russia's logistics sector, where customer information routinely passes through multiple organizational channels.