At the ask-and-answer session on August 10 before the National Assembly Standing Committee, Minister of Public Security To Lam said the public security forces are investigating into a case of personal data leakage involving nearly one-third of the Vietnamese population.
The case started on July 8 when the school data of 30 million records of Vietnamese, collected from an educational website, were put up for sale for USD 3,500 on an online forum. Each person’s record includes full name, email, phone number, birthday, grade, school, and address. The data seller said the database “has never been leaked before.”
People of Cau Giay district, Hanoi, are carrying out procedures for registration of e-identification accounts__Photo: Pham Kien/VNA
|People of Cau Giay district, Hanoi, are carrying out procedures for registration of e-identification accounts__Photo: Pham Kien/VNA
Earlier, personal data including full names, addresses, and phone numbers of 300,000 Vietnamese people were offered for sale on a Raidforum - a hackers’ forum specializing in trading in stolen data. The hacker did not publish all the information of 300,000 people but noticed that those who want to buy full data need to contact him to negotiate the price. In his post, the hacker also said that “data will be updated monthly”.
More seriously, an account named Ox1337xO revealed that he owned a data package containing Know-Your-Customer (KYC) information of nearly 10,000 Vietnamese. The data package includes detailed information such as full name, date of birth, address, email, phone number, ID card number, etc., along with portrait photo, and front and back images of the ID card of every user. To gain buyers’ reliability and prove authenticity of the data, the hacker also shared screenshots of some personal papers of victims like household registration book. The data package was offered for sale at the price of USD 9,000 and the seller said he only accepted payment in Bitcoin or Litecoin or through an intermediary.
According to a report by the Ministry of Public Security cited on the online newspaper VnExpress, there are hundreds of organizations and individuals that were involved in trading in personal data in 2019 and 2020 with the amount of data being collected and illegally sold reaching up to 1,300 GB.
What are the sources of data leaks?
According to experts, there are three main reasons behind rampant leakage of personal data in Vietnam: low public awareness, lax data management and insufficient security measures.
Speaking at the National Assembly Standing Committee’s meeting, Minister To Lam said that subjectively people were not yet fully aware of the importance of protecting their personal data online and willing to trade it for “technological conveniences”. On social media, thousands of people still provide their phone numbers and addresses under threads that promise them prizes like cars and motorbikes, he added.
Do Huong, a young woman from the northern province of Vinh Phuc, admitted that although she rarely uses online services that require personal info but does sometimes sign up for discount programs.
“Whenever shops have a discount program, I would give them the information they requested, usually phone numbers and addresses. Sometimes when I won prizes, they would request me to take a photo of my ID card as part of the procedure,” Huong was quoted by the VnExpress as saying.
As for objective causes, a lot of enterprises collect their customers’ personal data for business purposes but permit third parties to access such data. However, these companies do not have strict regulations on this process, leading to the situation that user data are subsequently sold to other parties.
Insufficient security measures constitute another reason behind data leakage. Whereas most service providers require customers to provide identity information like full names and phone numbers, they usually do not pay due attention to information security issues, leading to lax management and security vulnerabilities. There are several illustrations for these circumstances. For example, it is almost certain that immediately after someone books a plane ticket, he will receive text messages offering airport taxi services, new mothers will be probably bothered by dozens of calls and text messages offering assorted products and services for moms and babies after released from obstetrics hospitals, while parents of school-age children will be invited by English language centers, tutoring centers, etc.
Necessity for a complete legal corridor on protection of personal data
Vietnam is one of the fastest-growing digital economies in the world with a high percentage of social network users and a rapid growth rate of people having access to the Internet as well as using smartphones. All these things create a huge impetus for economic and business activities in the digital environment. However, public awareness about cyber security seems far below technological knowledge. Against that backdrop, the lack of a complete legal framework on protection of personal data probably hinders people from being involved more deeply in the digital transformation process.
To address the situation, a representative from the Institute for Policy Studies and Media Development (IPS) suggested that in the near future, Vietnam needs to quickly promulgate a decree and then a law on personal data to specify data subjects, personal rights and corporate obligations concerning personal data.
Pham Quang Tu, Deputy Director of Oxfam in Vietnam, said a complete legal framework on data and privacy protection is essential to ensure respect for citizens’ rights and contribute to the development of the digital economy which is operated on the basis of data in the current era. “Regulations and programs of the Government should develop solutions to protect privacy for the people as well as businesses,” Tu told Cong Thuong (Industry and Trade) newspaper.
Replying to National Assembly deputies’ questions, Minister To Lam admitted that one of the reason behind incremental increase in data breaches is the lack of a complete legal framework on protection of personal data, alongside the people’s poor awareness about this issue.
“The Ministry of Public Security has submitted to the Government a draft decree on protection of personal data, which is expected to be issued in the near future,” Lam said, adding that his Ministry is considering the possibility of formulating a separate law on protection of personal data for submission to the Government and subsequently to the National Assembly in 2024.
In another move, while discussing the draft revised Law on Protection of Consumer Interests, Chairman of the National Assembly’s Committee for Science, Technology and Environment Le Quang Huy also stressed the need to formulate detailed provisions on protection and use of consumer information.
“In order to protect consumer information, the Law should clearly stipulate that in case business organizations and individuals wish to authorize or hire third parties to collect, store, use, modify, update, or destroy consumer information, they must obtain the consent of the consumers,” the legislator emphasized.