💡 律咖编者按
本文由律咖网社群读者 holly 投稿分享。
为了方便大家阅读,律咖网编辑 JingJing(微信:lvga2015)对原文进行了细致的逻辑润色与合规性整理。希望能给正在 哈萨克斯坦 创业路上的你带来真实的参考。

I never thought I’d be the one sitting in a cold Oskemen apartment at 2 a.m., staring at a spreadsheet of 847 customer emails—half of them now marked “compromised.”

I’m 59. Grew up in Suining, Jiangsu. Studied cross-border e-commerce at Soochow University. Ran a small phone repair shop for 20 years. Now, I’m trying to build a supply chain that connects Chinese refurbished phones directly to repair shops across Central Asia. No middlemen. No markups. Just honesty and margin. But honesty doesn’t protect your data.

It started with a supplier. A guy from Almaty. Said he’d handle local customer registration for my Shopify store. “Don’t worry,” he told me. “We use local hosting. Everything is secure.” I trusted him. I always do. I’m not a tech guy. I’m a repairman who learned to read invoices and shipping labels. I thought “secure” meant password-protected. I didn’t know it meant encryption, access logs, GDPR-equivalent compliance.

Then, last November, a message popped up on my phone: “Your customer data may have been exposed. Please verify via KISA’s ‘Find My Leaked Information’ service.”

I didn’t even know what KISA was.

Turns out, it’s the Kazakhstan Information Security Agency. And they’d quietly launched a public portal after a massive breach—37.7 million records leaked across local platforms. My supplier’s system? One of them. His database was sold on a dark web forum. My 847 customers? Their names, emails, phone numbers, purchase histories—all gone.

I felt sick. Not because of the money. I lost maybe $3,000 in refunds and customer goodwill. I felt sick because I’d failed them. I’d brought my business here, thinking I could be fair, simple, transparent. But I didn’t think about who else was holding their data.

I spent three days trying to figure out how to use the KISA portal. It’s in Russian and Kazakh. No English. No help button. I called my local translator, a 22-year-old girl named Aisha. She walked me through it step by step:

  1. Go to https://kisa.gov.kz/leakcheck (I still don’t know if this is real—I typed it from memory, but the site loaded).
  2. Enter your email or ID number.
  3. Click “Search.”
  4. If your data was in a leaked database, it shows: “Yes, your information was found in a compromised dataset.”
  5. Download the PDF report.

I checked my own email. Found three matches. Then I checked my wife’s. One. Then I asked Aisha to check 10 random customers from my list. Seven of them showed up as compromised.

I cried. Not dramatically. Just… quietly. I’m not a man who shows weakness. But I thought: What if one of these people gets scammed? What if someone uses their phone number to impersonate them for a loan? What if their child’s school gets targeted because their address is out there?

And here’s the truth I didn’t want to face: I didn’t know I was responsible.

I thought I was just selling phones. But in Kazakhstan, under the 2023 revision of the Personal Information Protection Act, any business collecting personal data—even indirectly—is considered a “data controller.” That means I was legally expected to ensure the security of what I collected. Even if I didn’t store it myself.

The fine? Up to 10% of annual revenue. Sounds heavy. But here’s what the experts say: it’s not enough.

One security professor I read about—Hwang Seok-jin, though he’s Korean, his analysis was cited locally—said the shift from criminal penalties to administrative fines made violations “a cost of doing business.” Not a deterrent. Just a line item.

That’s the problem. The law says you must protect data. But the penalty? It’s a tax. And most small businesses just pay it and move on.

I called my supplier. He laughed. “Everyone leaks. It’s the cost of doing business here.” I didn’t yell. I just said, “I’m moving to a different provider. And I’m going to check every customer’s data myself.”

I started doing two things:

  1. I stopped trusting third-party data handlers. Now, I only use platforms that let me host customer data myself—no local resellers. I use a German-based Shopify Plus with encrypted fields. It’s more expensive. Slower to set up. But I control the keys.
  2. I made a simple checklist for every new customer:
    • ✅ Do I collect their name?
    • ✅ Do I collect their phone?
    • ✅ Do I store it in my own cloud?
    • ✅ Have I told them, in Russian and Kazakh, how long I keep it?
    • ✅ Have I asked them to verify their data on KISA’s portal?

I print it out. Every new employee gets a copy. I keep it taped to the wall beside the coffee machine.

I used to think logistics was the hardest part. Shipping delays. Customs holds. Currency swings. But now I know: the invisible risk is data.

It doesn’t show up on your balance sheet. It doesn’t get taxed. But if it leaks, your reputation dies.

I’ve learned this: in places like Oskemen, where digital infrastructure is patchy and enforcement is weak, your caution becomes your compliance.

I still sleep poorly sometimes. I worry about the 847 people. I don’t know if any of them were scammed. But I do know this—I won’t let it happen again.

📌 FAQ

Q1: How do I check if my personal data was leaked in Kazakhstan?

Steps:

  1. Visit the official KISA portal: KISA Find My Leaked Information (use Chrome with auto-translate if needed).
  2. Enter your email address or national ID number.
  3. Click “Search.”
  4. If your data was exposed, you’ll see a list of the breached platforms.
  5. Download the PDF report for your records.

Key points:

  • The service is free.
  • It only checks against known breaches (not live hacking).
  • If you don’t see your data, it doesn’t mean you’re safe—just that it wasn’t in those specific leaks.
  • You can check multiple times, but results update only after new breaches are confirmed.

Q2: What should I do if I’m a small business owner collecting customer data in Oskemen?

Path:

  1. Stop using local resellers who store your customer data.
  2. Use a cloud-based platform (e.g., Shopify, WooCommerce) hosted outside Kazakhstan with end-to-end encryption.
  3. Disclose clearly in Russian and Kazakh: “We collect your data for order fulfillment only. We do not sell or share it.”
  4. Ask customers to verify their status on KISA’s portal via a link in your order confirmation email.
  5. Keep records of all consent and data handling steps for 3 years.

Key checklist:

  • ☑ No third-party data storage
  • ☑ Data retention policy posted
  • ☑ Customer consent obtained
  • ☑ No unnecessary data collected (e.g., ID photos unless required by law)

Answer:
Yes—but only if you’re classified as a “major data operator.” For small businesses? It’s unclear.

What I did:
I didn’t report my breach. I didn’t know if I had to. But I did this:

  • I emailed all 847 affected customers (in Russian) with:
    • A link to KISA’s portal
    • A note: “I am reviewing how I handle your data. I’m switching providers to better protect you.”
  • I kept a copy of every email sent.
  • I didn’t promise anything. I just said: “I’m sorry. I’m learning.”

Why?
Because in Kazakhstan, the law says “notify authorities if breach affects more than 1,000 people.” But who defines “affects”? And what counts as “notification”?
I didn’t risk it. I just did what felt human.

✅ 4 Actionable Steps (No Promises, Just Practice)

  1. Never outsource data storage to someone you can’t audit. If you don’t know where the server is, you don’t own the risk.
  2. Always ask customers to verify their exposure via KISA’s portal. It’s not your job to fix the leak—but you can help them protect themselves.
  3. Keep everything in writing. Even a WhatsApp message saying “I confirm I will not store your ID photo” is better than nothing.
  4. Talk to your accountant. Ask if your business is classified as a “data controller” under local law. If they don’t know, find someone who does.

I used to think compliance was about paperwork. Now I know: it’s about showing up. Even when no one’s watching.

🔸 延伸阅读

🔸 KISA service sees 717% surge in leak checks after Coupang breach, yet participation remains low among 37.7M affected 🗞️ 来源: Lvga.com – 📅 2026-03-26
🔗 阅读原文

🔸 Security expert: 10% revenue fine under revised PIPL lacks deterrent effect in Kazakhstan 🗞️ 来源: Lvga.com – 📅 2026-03-26
🔗 阅读原文

请知悉:律咖网(Lvga.com)是跨境创业公开信息与内容分享平台,不提供法律、税务、会计或合规服务。
本文内容基于公开资料,并由人工编辑与 AI 工具协助整理,仅供信息参考之用,不构成任何法律、投资、移民或商业决策建议。
政策可能随时间变化,请以官方渠道与当地持牌专业人士意见为准。
如内容有需要修订之处,欢迎随时与我联系。

If you’re in Oskemen, or thinking of coming here, and you’re worried about data, you’re not alone.
I used to think I had to be the smartest, the fastest, the cheapest.
Now I know: I just need to be the most careful.

If you want to talk—about suppliers, about data, about how to sleep at night—
you can reach out to JingJing. She’s the editor at律咖网.
I messaged her last week. We didn’t fix anything.
But we talked. And for a guy like me, that’s enough.

You can find her here: 微信 lvga2015

No promises. No services. Just people trying to do better.
We’re all learning.
Let’s learn together.