Óscar Montezuma Panez, lawyer specializing in technology.  (Photo: Diffusion)

The personal information they are the most precious resources in cyberspace. These can be leaked, exposed, kidnapped and even sold on black markets. For this reason, it is necessary to know how we can protect ourselves and what to do if we become victims of cybercriminals, especially in the era of free digital services.

The , has been in force since 2011 in Peru. The most recent case involving this rule is the leaking and sale of personal information of citizens in social networks, which was alerted by the Association of Banks (Asbanc) in May. Is could include anything from full names to fingerprint imagesand even vehicle details.

LOOK: We tested Google’s artificial intelligence that trains you for job interviews and this is our verdict

Private information is, therefore, one of the most important assets of people today, so it must be protected. “We live in a digital age in which personal data has become the most precious asset of any society.. With which, if the data is going to be processed by computer or digital means, all applications or programs must do so with the appropriate configuration. Namely, must comply with the security measures required by law”, stated Paola Gálvez Callirgos, an expert lawyer in new technologies.

For his part, Óscar Montezuma Panez, also a lawyer specializing in technology, pointed out that it is not possible for any business or company to not adhere to what is ordered by current law. “With the boom that personal data protection legislation has had in the world, it is impossible and totally unfeasible that a digital business has not carried out an adequate validation of compliance with the legislation”, he asserted.

Óscar Montezuma Panez, lawyer specializing in technology. (Photo: Diffusion)

How much can our personal data cost in black markets?

These are the most offered product in what is known as the ‘dark web’. According to Sol González, cybersecurity researcher at ESET, “personal information is the oil of the 21st century” and therefore can be used in many ways.

The sale of personal data violates the constitutional right to privacy, according to Galvez Callirgos. “From this follows the right to protection of personal data and the right to informational self-determination. This means that each person holding your information is the only one who can decide who has access to your data, under what conditions and to what extent”, stated the lawyer.

In the most recent case of a leak in Peru, mentioned above, access to someone’s personal data cost as little as S/. 120 ($30). These could include the RENIEC file of the person, their telephone numbers, family information, characteristics and data of their vehicles, work information, their AFP and risk information, as well as emails. Nevertheless, this price could exceed S/. 170 (US$45) in some casesas it depended on who the target person was and how much data the cybercriminals had available.

LOOK: Meta faces lawsuits in the United States for encouraging digital addiction in adolescents

Fabio Assolini, Senior Security Analyst at Kaspersky, noted that there is a price range in dollars for the different types of information. They can start from as little as 50 cents for an ID either US$ 40 for selfies with personal documents“, he claimed.

Likewise, González recalled as an example that between 2020 and 2021 “a leak [de datos personales] of Snapchat could sell it for less than US $ 100”. The low price of these lists with personal data of thousands of people causes concern in the researcher. “Many times these data leaks that are made to a company, through a hack, end up on the internet for free. If the figure offered to cybercriminals is very low within the dark web, information can end up in data leaks”, he added.

Sol González, cybersecurity researcher at ESET.  |  (Photo: LinkedIn)
Sol González, cybersecurity researcher at ESET. | (Photo: LinkedIn)

Gónzalez also commented that by having all kinds of personal data thanks to a possible leak or exposure, cybercriminals can carry out targeted attacks. “By knowing which sectors of users, for example, are interested in a bank X and which are located within an area, the attacker can mount a well targeted and persuasive campaign. Create an email from the bank, pretend to be someone from the bank and offer a product that convinces users. Also, could directly attack people with this information”, he assured.

Montezuma pointed out that the ransomwarea type of malware that “hijacks” the victim’s information and asks for payment to not publish it or lose access to it forever, has taken more force today. “Three, four years ago, in Peru, ransomware it was not so successful because people did not pay. The ‘ransom’ they asked for was in cryptocurrencies. Since it was such a seldom used currency at the time, it was not as successful. Now the world has changed and crypto is a much more widespread currency”, stated the lawyer. In other words, technology changes over time, but so does cybercrime.

LOOK: Edit videos on mobile or PC? What do professionals prefer and what resources do they use?

How to prevent a possible misuse of our personal data?

The companies or natural persons that generate applications or web pages they must provide users with the terms and conditions, as well as the privacy policy and treatment of personal data of their product. It is the responsibility of the people read both documents to be informed about what is being accepted when using these services.

They are two fundamental documents in any application or online website. The terms and conditions develop all the rules of the game applicable to the use you make of these: what you can and cannot do with them. And the privacy policy specifically refers to how your personal information is used”, assured Montezuma.

LOOK: TikTok: how did the application that challenges Instagram, Facebook, Snapchat and YouTube come about?

Also, people cannot plead ignorance after accepting these documents. “If the page or the application has these terms and conditions, and you did not read them, but you accepted them, then you are subjecting yourself to those rules of the game. If they told you that they are going to use your information in any way in their privacy policies, you have already given him that authorization”, Montezuma pointed out.

Gonzalez stated that We have an obligation to safeguard our information.. For this reason, we are also responsible for documenting and investigating what is being done with it. “If we are going to give our data, we have to see how the application or web page is ensuring their security”, he asserted.

For his part, Assolini pointed out that we must be mentalized in a possible situation where our personal data has already been violated. “Let us always consider how content we share online may be interpreted and used by others“, he claimed. In addition, he advised to investigate and use the security tools of the devices that we use every day, since the latter contain a lot of information about us.

Fabio Assolini, Senior Security Analyst at Kaspersky.  |  (Photo: Diffusion)
Fabio Assolini, Senior Security Analyst at Kaspersky. | (Photo: Diffusion)

Gálvez Callirgos pointed out that it is also important that all of us know the rights we have and also the duties as responsible Internet users. “Let’s review the privacy policy, if it is a secure page, if it is really the data that is being requested is proportional to the purpose of the treatment. If I have to fill out a form, for example, where they ask for my ID and my address, but they don’t need the second because they won’t send me a shipment, then it is disproportionate. Therefore, it is not necessary to provide this information”, he commented.

What to do if our personal data has been violated?

The first step is, according to Montezuma, to “try to do damage control” as much as possible. “Change passwords for social networks or emails, block movements in bank accounts. That is, practical and concrete measures”, he stated.

LOOK: Elon Musk accuses YouTube of spreading ‘fraudulent ads’

The second step is to proceed with formal complaints. According to Gálvez, people can use two ways. The first is file a claim with the supplier or company. This must be through the form of the Complaints book. “Immediately requested exercise their , which are the ones established by the regulations. Rights of Access, Rectification, Cancellation and Opposition”, indicated the lawyer.

The other route that those affected must follow is the one established by the norm when carrying out a complaint to the , which is in function of the Ministry of Justice. “The complaint must be made explaining what happened. What is recommended is that screenshots or evidence can be attached that allow the authority to analyze them and initiate a sanctioning procedure ex officio, ”said Gálvez. The lawyer also pointed out that those affected should always file the corresponding claims or complaints using the two channels to alert that “adequate procedures are not being carried out in relation to security measures.”

Paola Gálvez Callirgos, expert lawyer in new technologies.  |  (Photo: Diffusion)
Paola Gálvez Callirgos, expert lawyer in new technologies. | (Photo: Diffusion)

Montezuma, for his part, argued that if the offender is a person, they would first have to identify themselves and then call the authorities. “If you have clearly identified the cybercriminal, you can contact the Divindat (High Technology Crime Investigation Division) of the Peruvian National Police. They will guide you in what steps to take to locate the offender. (…) In Peru there are also cybercrime prosecutors because we have the . There are criminal judges specialized in it,” he stated.

However, Montezuma pointed out that there is a big inconvenience when these cybercriminals are not in Peru. “If it is a website or an app that is outside the country, It won’t do much good to denounce because the laws are territorial”, he explained. For this reason, he recommended being prepared for a possible breach of our personal data. “In the digital world It is no longer protecting yourself so that it does not happen to you, but rather being ready because it is going to happen to you.”, he concluded.



-In accordance with the provisions of Law No. 29733, Law on Protection of Personal Data and its regulations, irregularly obtaining and disseminating personal data of citizens, contained in the personal data banks owned by Reniec and other entities, constitutes a very serious infringement, as it is a collection of personal data through fraudulent, unfair or illegal means. The fine for this fact is 50 UIT up to 100 UIT.

-In the event that the person who accessed the information is detected, they could go to jail for the crime of illegal access. If there is complicity of officials in this crime (providing passwords, for example), they could be jailed for bribery.

Leave a Reply