Millions of customers' information leaked

The Ministry of Public Security has pointed out a series of technology enterprises that have leaked customer information or taxi service brokerage companies that have used leaked passenger information to solicit services via SMS messages... The Ministry of Public Security also said that the current situation of leaking and buying and selling personal data is common, public and increasingly complicated. More seriously, many data are being sold publicly for a long time, in large quantities on cyberspace. The buying and selling does not only take place individually, between individuals, but also involves companies, organizations and enterprises.

In 2018, information about Thegioididong.com being leaked and hackers obtaining important information such as email addresses, transaction history and even card numbers was reported by technology forums, making millions of customers restless. The Gioi Di Dong immediately issued a press release confirming that this was fake information, the system was still safe, operating normally and not affected at all. After that, everything gradually quieted down.

In April 2018, VNG recorded that 160 million Zing ID accounts were at risk of being leaked and could affect a part of the company's gaming customer files. The company said it had promptly taken measures to handle, prevent intrusion, and limit the number of users affected by the incident through technical measures. However, VNG admitted that a number of users had their information leaked, but "the scope of users actually affected by this incident is not large, concentrated in gaming customers and does not affect other VNG products", and committed to always ensuring the rights and safety of customers, and will thoroughly resolve any problems that arise for customers...

According to Mr. Vo Do Thang, Athena Cyber ​​Security Center, for specific cases as mentioned by the Ministry of Public Security, there must be an investigation to know whether the company's system was attacked or whether the company's employees stole the data and released it. But regardless of the reason, when data is leaked, it means that the company's system has a vulnerability. The vulnerability here can be technical or human. Therefore, ensuring network security and safety in general or protecting customers' personal data must be monitored and implemented regularly 24/24, 365 days a year without being negligent. Because no one can dare to affirm that their system is always safe because hackers can attack at any time. Not to mention the situation where the company's own employees are the ones who steal customer data to sell it to the outside...

The world has heavy penalties, but Vietnam has few sanctions.

Recently, there have been a series of cases of customer information disclosure, but almost no units have been punished or sanctioned. Meanwhile, countries around the world have imposed very heavy penalties for this behavior. For example, in July 2019, the US Federal Trade Commission decided to fine Facebook 5 billion USD after the personal data of 87 million users of this social network was accessed and used illegally by Cambridge Analytica. According to the investigation, Facebook allowed Cambridge Analytica to illegally access the data of 50 million US users during the 2016 presidential election campaign as well as the 2016 Brexit referendum in the UK... This is the world's largest fine ever for a scandal that leaked user data.

In Vietnam, there are many regulations related to penalties for information leakage and disclosure. Currently, the Draft Decree on penalties for administrative violations in the field of cyber security (which is being consulted and waiting for the Government to promulgate) stipulates that the maximum penalty for organizations violating regulations on personal data protection is a fine of up to 5% of the total revenue of the previous fiscal year in Vietnam for the second or more violations. At the same time, there may be an additional penalty of revoking the business license for the industry that requires the collection of personal data for 1-3 months.

Mr. Vu Ngoc Son, Technical Director of Vietnam Cyber ​​Security Technology Company, said that up to now, due to the lack of detailed regulations on personal data protection, businesses and organizations that violate the law will only be subject to administrative penalties. Therefore, the proposed maximum penalty of up to 5% of total revenue in the upcoming draft is suitable for Vietnam and serves as a deterrent for units to take greater responsibility in protecting customer data. However, according to Mr. Son, this fine is still not high compared to the world. Because in many countries, most fines will be assessed based on the scale of impact of each violation. For example, if there is a violation that originates from a small business but seriously affects a large number of users, the fine will still be very large. "In Vietnam, there is still no scale to assess the impact of each case of personal information leakage, so it is only reasonable to propose a fine based on revenue. I think this will be a new step forward in the process of controlling and protecting people's personal data," said Mr. Vu Ngoc Son.

Agreeing, Mr. Vo Do Thang commented that having more detailed regulations on specific administrative penalties, publicly available for acts of protecting customers' personal data, will force businesses to review their network security systems. There is a process of regular assessment and monitoring of both technical and human resources to ensure the confidentiality of customer information. This is similar to regulations on ensuring fire safety in office buildings and crowded places. State management agencies also need to strengthen inspection, supervision and strict punishment of violating businesses. The first time may be made public on mass media; the second violation will be subject to corresponding administrative penalties and then the service may be suspended for a period of time so that the business can strengthen its network security system.