Yandex.Eda customer data leak
Yandex's food-delivery service Yandex.Eda leaked the names, phone numbers, addresses, intercom codes and order details of more than 58,000 customers, which were later mapped onto an interactive public website. Russian regulator Roskomnadzor opened a case and a Moscow court fined the company 60,000 rubles.
- Victim
- Yandex.Eda
- Loss
- $700
- records
- 58.0K
- users
- 58.0K
On 1 March 2022, Yandex.Eda — the food-delivery arm of Russian internet giant Yandex — announced that it had suffered a data leak, blaming the "dishonest actions of one employee." Weeks later the leaked information was published on an interactive map that let anyone look up the home addresses and phone numbers of customers, turning a back-office leak into a very public privacy crisis.
What happened
According to Yandex, an employee with access to customer records exfiltrated order data and the information ended up online. On 22 March 2022, a third-party website surfaced that plotted the leaked records onto a map of Russia, exposing the personal details of more than 58,000 customers in a searchable, geographic form.
The exposed fields reportedly included customers' full names, phone numbers, delivery addresses, intercom (entry-code) details, order amounts and order history. Because Yandex.Eda serves a large urban clientele — including, reportedly, individuals linked to security and government bodies — the addressable, map-based exposure drew unusual scrutiny.
Impact
- More than 58,000 customers had their identity and location data exposed.
- The data's presentation as a searchable map dramatically amplified the harm versus a raw database dump.
- A separate, related leak of courier data — around 700,000 records containing names, emails, phone numbers and hashed passwords — surfaced in the same period.
Response
Russia's communications regulator Roskomnadzor restricted access to the map and opened an administrative case against Yandex.Eda for violating personal-data law. On 21 April 2022, a Moscow court fined the company 60,000 rubles (roughly $700 at the time) over the customer leak; a further 60,000-ruble fine followed in August over the courier-data leak. Dozens of affected users launched a class-action lawsuit seeking moral damages of 100,000 rubles each.
Why it matters
The Yandex.Eda leak became a touchstone in the debate over the trivially small penalties Russian law then attached to large personal-data breaches: a 60,000-ruble fine for exposing tens of thousands of people was widely cited as evidence that fines needed to scale with harm. The case — an insider exfiltration weaponised into a public mapping tool — helped drive subsequent Russian legislative proposals for turnover-based fines for personal-data leaks, mirroring the GDPR-style escalation seen elsewhere.
Financial impact
Reported costs in USD
- Fines & settlements$700
Timeline
Yandex.Eda announces a data leak, attributing it to the 'dishonest actions of one employee' who published customer phone numbers and order details.
An interactive online map appears plotting the names, phone numbers and addresses of more than 58,000 customers; Roskomnadzor restricts access and opens a case.
Dozens of customers, joined by hundreds more applicants, file a class-action lawsuit seeking 100,000 rubles each in moral damages.
A Moscow court fines Yandex.Eda 60,000 rubles for leaking the personal data of the 58,000 customers.
A separate ruling fines Yandex.Eda a further 60,000 rubles over the leak of courier data containing some 700,000 records.
Sources
- reuters.comhttps://www.reuters.com/technology/russian-tech-giant-yandex-lambasted-over-data-leak-regulator-launches-case-2022-03-22/
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Yandex_Eda
- business-humanrights.orghttps://www.business-humanrights.org/en/latest-news/russia-court-fines-yandexfood-for-leaking-thousands-of-couriers-data-co-for-leaking-personal-data-of-58000-customers/
- interfax.comhttps://interfax.com/newsroom/top-stories/81218/