Russia seeks criminal charges against executives at flight booking service accused of failing to protect consumer data

Russian prosecutors initiated a rare criminal case against two executives of a local flight booking platform, called Leonardo, after hackers breached the company's systems last year, as reported by local media.

According to the investigation, the suspects — Leonardo vice presidents Igor Roitman and Alexander Kalchuk — failed to protect the personal data of airline passengers. The court has banned them from working at the company.

Leonardo is a flight reservation system developed by the Russian company Sirena-Travel, which provides services for the air travel and tourism industry. A previously unknown hacking group claimed to have breached the company in September of last year and published a data dump containing flight bookings of millions of passengers on a newly created Telegram channel called Muppets.

The leaked data included information such as the name of the airline company, the passenger’s city of departure and arrival, passport and birth certificate details, last name, first name and time of booking the ticket.

Later in the same month, Leonardo was hit with a distributed denial-of-service (DDoS) attack that affected the operations of several of its customers, including Russian air carriers Rossiya Airlines, Pobeda and flagship airline Aeroflot. The attack caused delays of up to an hour for departures at Moscow's Sheremetyevo International Airport.

It is not clear if the attacks are related. The Ukrainian IT Army hacktivist group claimed responsibility for the DDoS attack.

Russian state officials told local media that the attacks on Leonardo were likely carried out by hackers linked to Ukraine.

Searches and criminal charges

Last week, Russian law enforcement searched Sirena-Travel’s office in Moscow. Russian newspaper Kommersant reported that the searches were conducted by officers from the Federal Security Service (FSB), the Interior Ministry and the Internal Military Force (Rosgvardiya).

The goal of the searches wasn’t officially announced, but according to Kommersant, they were related to a cyberattack investigation.

Over the weekend, several Russian media outlets, including Kommersant and the Russian state news agency TASS, reported that Roitman and Kalchuk were detained for “allowing a cyberattack” that resulted in grave consequences in the form of “illegal acquisition of personal data of airline passengers.”

According to Russian laws, the suspects could have been sentenced to up to 10 years in prison, but the court decided to suspend them from work. Roitman and Kalchuk also temporarily cannot leave their apartments between 6 PM and 8 AM, communicate with witnesses and employees of their company, or visit the Sirena-Travel office or events organized by the company.

The court decisions have not yet entered into legal force. The prosecutor's office, which demanded the arrests, can appeal them in the Moscow City Court. The suspects denied any wrongdoing, according to Kommersant. 

Earlier in December, Sirena Travel was fined for the September data breach. The amount of the fine wasn’t specified, but according to Russian cybersecurity expert Oleg Shakirov, companies are usually charged 60,000 rubles ($648) for failing to protect customers' personal data.

“This is the first case known to me when, after an organization has been punished for an administrative offense in the field of personal data protection (in particular, as a result of a hacker attack), a criminal case is also opened against top managers for insufficient protection of critical information infrastructure. This is likely due to the scale of the leak, as well as the sensitivity of the data,” Shakirov wrote on his Telegram channel.

Leonardo is actively promoted by Russian state agencies as an alternative to foreign software. Before many Western companies left Russia due to its invasion of Ukraine, Leonardo wasn’t very popular among local users, according to Kommersant. However, in 2022, Russia’s Ministry of Transportation announced that all local airlines had switched to domestic software.