Post of Russia and Uralsib have divided damage from hackers

The court recognized their mutual guilt in the loss of funds in 2015.
Bank Uralsib and Post of Russia should share responsibility for the results of the attack of the Bashkir hackers of 2015, which caused damage to the bank in the amount of 8 million rubles. In October 2015, hackers, having connected to the computer of the Post of Russia branch in Tuymazy, withdrew this amount from the bank account, imitating 553 payments to 545 Beeline subscribers. In a matter of minutes, the funds were cashed. In the bank, unauthorized transactions were established only after 24 hours. In the Tuymazy District Court, there is a trial of two participants in this hacker attack.

In the arbitration court, the second round of the legal proceedings between the bank Uralsib and the Russian Post about the division of responsibility for the hacker attack, undertaken in Bashkortostan on the night of October 27, 2015, was completed. Then unknown hackers, hacking the computer department of the "Post of Russia" on Ostrovsky Street in Tuymazy, simulated the payment of 553 individuals payments to 545 subscribers of "Beeline" for a total of 8.11 million rubles. Under the contract of accession to the money transfer system, signed between Uralsib and Post of Russia, these funds were transferred to subscribers from the bank account. Within five minutes, as follows from the materials of the arbitration court, most of the amount - 8 million rubles. - was cashed.

The contract between the "Post of Russia" and the bank provided that the bank executes payment orders of the customers of "Pochta", and that in a day transfers the bank the paid payments minus the commission.

After the hacker attack, when the bank applied for the transfer of funds, in the "Post of Russia" reported that the money for these payment orders to the cashier's office did not arrive, and the payments themselves were unauthorized.

Later in the "Post of Russia" it was established that a branch employee who worked for a hacked computer did not turn it off before leaving work and did not extract a flash card with a certificate to enter the "City" payment system.

The bank filed a lawsuit seeking damages in court. The trial of the parties lasted two and a half years. Representatives of the bank in court argued that the only reason for conducting disputed transactions was "improper performance of the defendant's obligations to ensure the confidentiality of the encryption key and prevent access to equipment." The bank, as stated by representatives of Uralsib, only fulfilled the terms of the partnership agreement.

In turn, representatives of the "Post of Russia" blamed the consequences of the hacker attack on the bank, which "did not show due diligence in the implementation of remittances", but demonstrated "negligent attitude to the event that happened."

In the first round of the proceedings, the bank won two instances of the arbitration court from the "Post of Russia". Then the courts acknowledged that the "Mail" did not provide evidence of the hacker attack. However, since the materials of the criminal case were based on the fact of the hacker's attack, the cassation, having studied them, returned the case for a new examination. She pointed out that the conclusions of the lower courts contradict the protocols of interrogation of alleged hackers.

Three residents of Bashkiria - some A. Kolonshchakov, R. Muksinov and Z. Gadzhikurbanov are accused in this criminal case. Their actions are qualified as a major fraud in the sphere of computer information (Part 4, article 159.6 of the Criminal Code of the Russian Federation). With regard to the two defendants, the case is heard in the Tuymazy District Court, it is allocated to independent production for Hajikurbanov. After committing the offense, the accused developed a chronic mental disorder, according to the materials of the district court.

During the second hearing, the arbitration courts of three instances granted the claim of Uralsib in part. They ordered Rossiyskaya Pochta to pay half of the amount of the damage - 3.97 million rubles, recognizing that the staff of the Post had improperly fulfilled their obligations to ensure the security of payments, and the bank's employees did not verify the legitimacy of the amount that was significantly different from the usual amount of daily receipts of payers in this post office.

The decision of the cassation instance on this case was published last Saturday.

The press service of the regional branch of the "Post of Russia" told Kommersant that they agree with the court's decision and will not contest it. The enterprise continues cooperation with Uralsib, said Boris Slutsky, chief specialist in corporate communications of the Federal Border Service of the Russian Federation for Bashkortostan. To prevent similar incidents in the branch of the "Post of Russia", information security measures were strengthened, additional protection of the collection and processing of payments was installed, he added.

The press service of Uralsib did not respond to the request.


The general director of BASIC consulting Raul Saifullin notes that the court's decision looks fair. "On the one hand, being a professional participant in the payment system, the bank must be cautious when performing unusual operations. On the other - no one removes guilt from employees of the "Post of Russia", whose actions led to unauthorized access. There is no point in challenging judicial acts for either party, but this does not exclude the right of the victims to recover damages from defendants in the criminal case. True, the prospect of executing such a verdict is doubtful, "the expert concluded.