The information that VNG Company disclosed more than 163 million customer accounts was clearly stated by the Ministry of Public Security in a report assessing the current state of social relations related to personal data protection, part of the draft proposal to build the Law on Personal Data Protection.
The Ministry of Public Security has determined that personal data disclosure is common in cyberspace. Users are not aware of protecting personal data, posting it publicly or exposing it during the process of transferring, storing, exchanging for business purposes or due to inadequate protection measures leading to its appropriation and public posting.
The Ministry of Public Security listed some typical cases in the assessment report: " VNG Company exposed more than 163 million customer accounts; Mobile World and Dien May Xanh Company exposed more than 5 million emails and tens of thousands of payment card information such as Visa and credit cards of customers; hackers attacked the server system of Vietnam Airlines, posting on the Internet 411,000 customer accounts of the Golden Lotus program members ".
Zing MP3 and Zalo are two of VNG's technology products. (Photo: VietNamnet)
The situation of customer information being leaked to Vietnamese taxi service brokerage companies to solicit customers via SMS messages; customer data of FPT Company being posted publicly online, was also mentioned by the Ministry of Public Security.
According to the Ministry of Public Security, the buying and selling of personal data is currently widespread and public, with raw data and processed personal data. Many acts have not been handled due to lack of legal regulations.
Raw data includes lists of officials and internal contacts of ministries and economic groups (Industry and Trade, Finance, Transport, Science and Technology, Agriculture and Rural Development, Commerce, General Department of Taxation, Coal Group, etc.); electricity customers nationwide; information on phone and internet subscribers of network operators; information on customers borrowing and saving at banks; securities; insurance, etc.
The processed personal data is identified by the Ministry of Public Security as detailed information about individuals, organizations, and businesses, such as: full name, date of birth, ID number, address, phone number, bank account number (including balance), relatives, position, job position, etc.
Further analyzing this situation, the Ministry of Public Security said that businesses and service companies collect personal data of customers, allowing third parties to access personal data information but without strict requirements or regulations, allowing third parties to transfer and trade to other partners.
Businesses proactively collect customers' personal information, form personal data warehouses, analyze and process such data to conduct business and trade.
" The trading of personal data is conducted systematically, in an organized manner, with a commitment to "warranty" and the ability to update data and extract data according to the buyer's request. Many data are sold publicly, for a long time, in large quantities on cyberspace. The buying and selling is conducted through websites, accounts, pages, groups on social networks, hacker forums... ", the report of the Ministry of Public Security clearly stated.
In the assessment report, the Ministry of Public Security also mentioned methods and tricks for illegally collecting personal data.
Specifically, the Ministry of Public Security said that the subjects will create or take advantage of websites with attractive content to attract users. When users access them, they will silently install malicious code into computers and smart devices without the user's knowledge to collect information.
For example, the subjects will attach malicious codes to online game pages, websites with obscene content... or the subjects will create fake information login pages (Facebook, email, bank). These pages will be sent via email to the victim and they have the same interface as the login pages of service providers. If the victim is not vigilant and logs in information on that website, the information will be sent to the hacker instead of the service providers as they think.
Another method mentioned by the Ministry of Public Security is the illegal collection of personal data through free software. Accordingly, with some software provided for free on the internet, especially for software of unknown origin, cracked software, the subjects will take advantage of it to install attached malware, when users download and install it, they will accidentally install malware on their own devices.
" And these malicious codes will silently collect users' personal data. For example: software crack and patch programs; some fake anti-virus software such as AntivirusGold, Antivirus PC 2009, AntiSpyware Shield Pro, DoctorTrojan... ", the Ministry of Public Security informed.
Attacking via smart devices is also a method used by criminals to illegally collect personal data. The Ministry of Public Security considers this a new tactic. Criminals often target smart devices with internet connection such as: wifi routers, security cameras, smartphones, etc.
By conducting scans to detect and exploit common security vulnerabilities on these devices such as using default accounts and passwords from the manufacturer, not updating patches regularly, etc., the subjects will install malicious code to monitor, collect data, threaten or blackmail users.
Source
Comment (0)