The Moscow Kremlin.
- A Russian company accessed user data via Google for months after it was sanctioned, a report found.
- RuTarget, owned by Sberbank, Russia’s largest state-owned bank, accessed the data until June 23.
- The report’s author said there is a “huge danger” if RuTarget shared data with the Kremlin.
Google let a sanctioned Russian company access data belonging to Americans and Europeans, including user activity on websites based in Ukraine, according to a new report.
The report was compiled by Adalytics, a digital ad analysis company, and first reported by ProPublica. It found that the Russian digital advertising company RuTarget was still accessing user data through Google months after it was sanctioned as a result of Russia’s invasion of Ukraine.
RuTarget is owned by Sberbank, Russia’s largest state-owned bank that the US first sanctioned in February and imposed full blocking sanctions on in April.
Adalytics found hundreds of examples of RuTarget accessing user data through Google between February 24, when it was sanctioned, and June 23, when ProPublica contacted Google about it.
The report also said some of the data shared with RuTarget included details on users browsing Ukraine-based websites. The data access potentially includes IP addresses, location information, and mobile phone IDs.
“For all we know they are taking that data and combining it with 20 other data sources they got from God knows where,” Krzysztof Franaszek, the author of the report, told ProPublica. “If RuTarget’s other data partners included the Russian government or intelligence or cybercriminals, there is a huge danger.”
Google did not immediately respond to Insider’s request for comment. When reached by ProPublica, Google said it had blocked RuTarget from using or buying its ad products in March, but acknowledged the company was still receiving user and ad buying data from Google before June 23.
“Google is committed to complying with all applicable sanctions and trade compliance laws,” Google spokesperson Michael Aciman said. “We’ve reviewed the entities in question and have taken appropriate enforcement action beyond the measures we took earlier this year to block them from directly using Google advertising products.”
A group of US senators expressed concern in April over the potential for Americans’ data to be sold to foreign companies through online ad exchanges. The senators said in a statement that the auction process common in online ad sales means hundreds of firms might receive information about the person who is the target of the ad.
They said the firms could be collecting “device identifiers and cookies, web browsing and location data, IP addresses, and age and gender” to “compile exhaustive dossiers” about individual users.
“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” they said.