14 DAY TRIAL // Russian media reports that MegaFon leaked people's personal SMS messages by allowing the Yandex search engine crawlers to index them.
MegaFon is the second largest mobile phone operator in Russia with over 30 million subscribers while Yandex operates the largest Internet search engine in the country with over 60% market share.
Apparently a glitch caused thousands of text messages sent by MegaFon users to show up in Yandex search results for a special query.
The messages were personal in nature and included love declarations, break-up messages, meeting arrangements and other sensitive information.
Reports about the data breach were accompanied by a lot of speculation regarding what might have happened.
Some people suggested a misconfiguration of the Yandex.Metrika analytics tool on the MegaFon website. Others claimed that the breach was caused by customers who installed the Yandex.Bar toolbar in their browsers.
"It’s hard to say who is guilty in this issue [...]. However, this is a major breach of the Federal Law for Personal Data Protection and a bunch of other state regulations that may cause the offensive party to face a legal prosecution and substantial penalties," commented Eugene Kaspersky, co-founder and CEO of Russian security vendor Kaspersky Lab.
According to later reports, Yandex officials said the issue was caused by the robots.txt file being deleted from a special section of MegaFon's website.
Robots.txt is a file used to specify options for search engine crawlers. It can be used to tell robots that a portion of the site should not be indexed. However, it's not clear why the page containing such messages was publicly accessible in the first place.
The incident only affected messages sent through a special service on MegaFon's website available at www.sendsms.megafon.ru. SMS messages sent directly from mobile phones were not impacted. Yandex has since removed the leaked information from its search pages and MegaFon closed the security hole.