Customer data posted publicly online

In the Draft Dossier proposing the development of the Law on Personal Data Protection, the Ministry of Public Security has reported on the Assessment of the current status of social relations related to personal data protection (DLCN).

According to the Ministry of Public Security, high-tech criminal organizations have used many sophisticated and complex technological tricks to attack the network, seize DLCN for malicious purposes. In a connected cyberspace, DLCN protection needs to be synchronized, with the coordination of organizations, businesses, individuals with specialized units in charge of network security.

Assessing the current state of social relations related to the protection of personal data, the Ministry of Public Security believes that there are many social relations related to personal data, such as between data collection organizations and data subjects, between state management agencies and data subjects; between data subjects and data subjects (individuals and individuals), between organizations and data subjects.

In addition, sanctions for violations related to DLCN are currently lacking, weak in effectiveness, and not strong enough to deter and appropriately handle violations.

Therefore, it is necessary to supplement, amend, and unify sanctions for violations to meet the practical requirements of state management of personal data protection, as well as the fight against and prevention of crimes and violations of the law on personal data protection. Therefore, the promulgation of the Law on Personal Data Protection is extremely necessary.

According to the assessment of the Ministry of Public Security, the trading of personal data is conducted systematically, organized, with a commitment to "warranty" and the ability to update data, extract data according to the buyer's request. Many data are sold publicly, for a long time, in large quantities on cyberspace. The buying and selling is conducted through websites, accounts, pages, groups on social networks, hacker forums. Payment is made through bank accounts, many transactions clearly state the content of the data buying and selling.

The buying and selling of personal data does not only take place individually, between individuals, but also involves the participation of companies, organizations, and businesses. Some newly established companies invest in building and operating technical systems that specialize in illegally collecting personal data for business profit; build software that specializes in collecting personal information, hidden in websites to automatically collect information, and analyze it into valuable personal data files. Distribute malicious code that collects personal data on the network environment (computers and mobile devices), organize attacks, and infiltrate computer systems of agencies, organizations, and businesses to appropriate personal data.

According to the Ministry of Public Security, the buying and selling of information about organizations and individuals is conducted through websites, accounts, pages, and groups on social networks such as Facebook, Zalo, Telegram raidforums.com, hacker forums, etc.

Typically, VNG Company exposed more than 163 million customer accounts; Mobile World and Dien May Xanh Company exposed more than 5 million emails and tens of thousands of payment card information such as Visa, credit cards of customers; hackers attacked the server system of Vietnam Airlines , posting on the Internet 411,000 customer accounts of Golden Lotus program members.

The situation of exposing customer information for Vietnamese taxi service brokerage companies to use to solicit customers via SMS messages, customer data of FPT Company being posted publicly on the internet; List of officials, internal contacts of ministries, economic groups (Industry and Trade, Finance, Transport, Science and Technology, Agriculture and Rural Development, Trade, General Department of Taxation, Coal Group...); electricity customers nationwide; information of phone and internet subscribers of network operators; information of customers borrowing, saving at banks; securities; insurance; business registration records; schools; household registration information; customer information in the fields of real estate, supermarkets, buying cars, motorbikes...

Detailed information about individuals, organizations, businesses, such as full name, date of birth, ID number, address, phone number, bank account number (including balance), relatives, position, job position... information about individuals and organizations nationwide that have used EVN's electricity services; information about parents and students at schools nationwide; customer information of BIDV, Techcombank, VPBank, AgriBank...

Other information, such as business registration, state agency personnel, insurance, household registration; telecommunications data, phone subscribers of Viettel, Mobiphone, Vinaphone networks; customer information at real estate projects nationwide; electronics customers in 63 provinces and cities nationwide; information of VIP customers, financial and securities investment customers, customers in the SPA, Dentistry, fashion, and beauty salon industries are also widely sold.