VNG company’s information disclosure was clearly stated in the report on the evaluation of the current state of social relations related to the protection of personal data, under the draft profile proposing the construction of the Law on the Protection of Personal Data.
The Ministry of Public Security recognized that the situation of personal data leakage is common on the internet. Users lack awareness of protecting personal data, publicly posting or revealing during the process of transfer, storage, and exchange for business activities or due to inadequate protection measures leading to misappropriation and public posting.
The Ministry of Public Security mentioned some typical cases in the assessment report: “VNG company leaked more than 163 million customer accounts; The gioi di dong and Dien may xanh companies leaked more than 5 million emails and tens of thousands of payment card information such as Visa, credit cards of customers; hackers attacked the server system of Vietnam Airlines, posting 411,000 member customer accounts of the Bong Sen Vang program on the Internet“.
Zing MP3, Zalo are two of VNG’s technology products. (Photo: VietNamnet)
Leaking customer information for Vietnamese taxi service companies to use to solicit customers via SMS messages; FPT company’s customer data being publicly posted on the internet was also mentioned by the Ministry of Public Security.
According to the Ministry of Public Security, the buying and selling of personal data is currently widespread and public, with raw data and processed personal data, many behaviors have not been resolved due to a lack of legal regulations.
The raw data includes the list of officials, internal contacts of ministries, economic groups (Trade, Finance, Transportation, Science and Technology, Agriculture and Rural Development, Commerce, General Department of Taxation, Coal Corporation…); nationwide electricity customers; information of telephone subscribers, internet of telecommunication networks; customer information for borrowing, depositing savings at banks; securities; insurance…
The processed personal data that the Ministry of Public Security recognizes are detailed information about individuals, organizations, businesses, such as: full name, date of birth, ID number, address, phone number, bank account number (including the balance), relatives, positions, and job positions…
Further analyzing this situation, the Ministry of Public Security believes that businesses, service companies that collect personal data of customers, allow third parties to access personal data information but without strict requirements or regulations, to allow third parties to transfer, trade with other partners.
Businesses proactively collect personal information of customers, form a personal data warehouse, analyze, and process the types of data to conduct business and trade.
“The sale of personal data is carried out systematically, organized, with a commitment to “warranty” and the ability to update data, extract data as requested by buyers. Many data are publicly sold over a long period, in large quantities on the internet. Trading is conducted through websites, accounts, pages, groups on social media, hacker forums…
“, the Ministry of Public Security’s report stated.
In the assessment report, the Ministry of Public Security also mentioned the methods, means of illegally collecting personal data.
Specifically, the Ministry of Public Security believes that the subjects will create or take advantage of websites with attractive content to attract users, when users access, they will silently install malicious code on computers and smart devices that users do not know to collect information.
For example, the subjects will attach malicious code to online game pages, websites with obscene content… or the subjects create pages that log in fake information (Facebook, email, bank). These pages will be sent via email to victims and they have interfaces exactly like the login pages of service providers. If the victims become less vigilant and enter their information on that website, the information will be sent to hackers instead of the service providers as they think.
Another method mentioned by the Ministry of Public Security is the method of illegally collecting personal data through free software. Specifically, with some free software provided on the Internet, especially for software with unknown origins, cracked software, the subjects will take advantage to install attached malicious code, when users download and install, they unwittingly install the code. onto their own device.
“And these codes will silently collect users’ personal data. For example: crack programs, software patches; some fake antivirus software like AntivirusGold, Antivirus PC 2009, AntiSpyware Shield Pro, DoctorTrojan…”, informed the Ministry of Public Security.
Attacking through smart devices is also a method that the subjects use to illegally collect personal data. The Ministry of Public Security assesses this as a new method. The subjects often target smart devices connected to the internet such as: Wifi routers, security cameras, smartphones…
By scanning to detect and exploit common security vulnerabilities on these devices such as using default accounts and passwords of manufacturers, not regularly updating error patches… the subjects will install malicious code to monitor, collect data, threaten or extort users.
