Personal data breaches in Vietnam

Personal data[1] is of great value in today’s digital economy due to its advantages for businesses, such as market and customer analysis, advertising, product marketing, etc. Therefore, violations related to personal data such as attacks on personal data systems, and theft or trading of personal data have been increasing. Meanwhile, most enterprises and organizations do not fully comply with regulations on personal data protection.

In fact, the number of data leakages in Vietnam is considerable (personal data of more than two-thirds of the Vietnamese population is being stored, posted, shared, and collected on the Internet), even taking place in many large companies and corporations, which are recognized for their infrastructure to ensure information security. These businesses operate in many important and vital areas of life such as healthcare, finance, technology, etc.

There are some typical cases occurring in Vietnam recently:

* Cases of businesses/organizations disclosing customers’ personal data

1. 411,000 member accounts of Vietnam Airlines were disclosed: In July 2016, along with the network attacks at Noi Bai airport and Tan Son Nhat airport, the hacker group namely “1973cn” also attacked the website and database of Vietnam Airlines. Accordingly, at the bottom of the company’s website appeared a link to a website sharing more than 400,000 member information of the Lotusmiles program, including name, date of birth, address, and even position, working agency, and phone number of some customers[2].
2. The login credentials leakage of more than 163 million game accounts of VNG: In April 2018, data of more than 163 million Zing ID accounts were offered for sale on Raidforums.com, a forum for database trading, including username, password, game code, email address, phone number, full name, date of birth, IP address, name of city and country of the customers[3].
3. Two million account details from MSB leaked online: In November 2019, a package of data including information of more than two million customers of Vietnam Maritime Commercial Joint Stock Bank (MSB) was posted on Raidforums.com. The leaked data was usernames, ID numbers (identity cards, for example), phone numbers, addresses, date of birth, gender, email address and occupations. Some customers in Hanoi and Bac Giang confirmed that the information leaked was identical to their personal data^[4].
4. Leakage of patient data in Tu Du Hospital: In August 2022, many women reported that after giving birth at Tu Du Hospital, they often received calls to promote baby products, mother and baby care services, etc. The leaked data was so detailed that includes not only the phone numbers of patients but also date of birth, gender and health status of the newborn. Suspecting the disclosure of patients’ personal data, the Department of Health and the People’s Committee of Ho Chi Minh City requested the hospital to clarify the issue^[5].
5. More than 16.000 customer data of Sapo – a startup specializing in building technology platforms was offered for sale: In November 2022, approximately 16.100 data that was believed to belong to Sapo’s customers was publicly up for sale by hackers (Sapo is the startup specializing in providing technology solutions to support retail and e-commerce, currently providing services to more than 150,000 businesses). The disclosed data included name, email address, phone number and address of user[6].

Although the company’s representative, CTO Nguyen Minh Khoi affirmed that it was not Sapo customer data, but simulated information used in software programming, it still raised concerns about the level of data security for Sapo’s users.

6. Personal data disclosure of FPT customers: In 2018, a package of data including age, purchase confirmation and even photo of FPT Shop’s customer ID card was posted on a forum. The case has been investigated and resolved by the Information Security Department, the Ministry of Information and Communications.

Recently (15/5/2023), (15/5/2023), personal data which was believed to belong to customers of FPT brands such as FPT Edu, FPT Shop and FPT Long Chau was shared on Telegram. The hacker claimed that the leaked data was exploited by a systematic attack on a website in the chain of FPT. According to security experts, the information spread by the hacker was in a form that was quite similar to that extracted from the system’s database. However, FPT has not yet commented on this issue^[7].

(Information about investigations and/or sanctions has not been made public)

* Recent criminal cases relating to personal data

1. Hanoi People’s Court adjudicated the criminal case of 8 defendants related to the illegal purchase and sale of subscriber information of 3 network operators (Vinaphone, Viettel and Mobifone). One of the defendants used to be the Deputy Head of the Cyber Security Center of the Network Operations Department, VNPT Net Corporation[8]. In this case, the subjects were sentenced to a maximum penalty of 6 years imprisonment in prison for Illegal provision or use of information on computer networks, telecommunications networks and Fabricating an organization’s seal or documents and use thereof.
2. Adjudicating the criminal case of a defendant (formerly a programmer of EVN) copying and selling customer data of Vietnam Electricity Company – EVN. Due to the exposure of new facts, the Court decided to return documents for further investigations; however, the penalty that the defendant would face can be up to 7 years imprisonment.[9]
3. Ha Tinh’s investigation police units prosecuted the case of trading personal data. Accordingly, the defendants (Xuan Dinh Dao and Duc Quang Nguyen) were prosecuted for illegal provision or use of information on computer networks, and telecommunications networks, stipulated in Article 288 of the Criminal Code.[10]
4. The Departments of Public Security of Phu Tho province dismantled two groups unlawfully collecting and trading personal data. There were five defendants prosecuted for collecting, and stealing personal data to sell for illicit profit; the total amount gained was over 1.6 billion VND. Additionally, the authority determined that there were approximately 900 customers purchasing data from these defendants.[11]

* Cases that are under investigation in 2023

1. The competent agencies are investigating Mirae Asset Finance Company Vietnam for trading personal data of about 150,000 Vietnamese people. Accordingly, 76 related people were summoned and many assets and equipment were seized to serve the investigation.[12]
2. The case of selling 30 million personal data, allegedly taken from the Ministry of Education and Training, is being investigated by the Ministry of Public Security.[13]
3. The Government has set up 11 joint inspection teams to inspect personal data protection and transferred 2 cases to the Ministry of Public Security for criminal handling. In 2023, the inspection will continue to be implemented on the basis of the provisions of Decree 13/2023/ND-CP on personal data [14]

In addition, there have been many cases of Vietnamese personal data leakages on many platforms, without being able to retrieve the data source, most notably the Raidforums. For example, the case of selling 17GB KYC data of nearly 10,000 Vietnamese people, including photos of identity cards, selfie photos/videos, addresses, phone numbers and email addresses. This data is likely to come from online lending applications, virtual currency exchanges, etc. Or the case of 119,000 data including email addresses, phone numbers and passwords of users believed to belong to a private insurance company also appeared on Raidforums;…

It can be seen that the disclosure of personal data at enterprises is very common, stemming from many reasons, both subjectively from enterprises and objectively from criminals. In order to protect your business from the risk of personal data leakage, directly affecting business operations and reputation, enterprises need to fully comply with regulations and apply advanced protection measures to minimize the possible risks./.

PrivacyCompliance

#data #personaldata #violation #Vietnam #crimminalcases

[1] “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual.

[2] https://vtc.vn/website-cua-vietnam-airlines-bi-hack-lo-thong-tin-khach-hang-ar268720.html

[3] https://dantri.com.vn/suc-manh-so/vng-len-tieng-ve-su-co-160-trieu-zing-id-bi-lo-thong-tin-ca-nhan-20180427221703028.htm

[4] https://tuoitre.vn/thong-tin-mot-so-khach-hang-o-maritime-bank-nghi-bi-danh-cap-20191122100004909.htm

[5] https://vietnamnet.vn/benh-vien-tu-du-giai-thich-nguyen-nhan-lo-thong-tin-cua-san-phu-2052946.html

[6] https://vietnamnet.vn/nhieu-du-lieu-thong-tin-cua-nguoi-dung-viet-bi-rao-ban-tren-mang-i5006685.html

[7] https://vietnamnet.vn/nghi-van-khoi-giao-duc-fpt-bi-tan-cong-mang-gay-lo-lot-du-lieu-2143846.html

[8] https://congly.vn/xet-xu-nhom-bi-cao-mua-ban-trai-phep-so-dien-thoai-ca-nhan-235288.html

[9] https://vneconomy.vn/lap-trinh-vien-ban-thong-tin-du-lieu-ca-nhan-thu-loi-hon-279-trieu-dong.htm

[10] https://congan.hatinh.gov.vn/bai-viet/lap-nhom-data-khach-hang-tiem-nang-de-mua-ban-thong-tin-ca-nhan_1675689390.caht

[11] https://thanhnien.vn/pha-2-duong-day-mua-ban-trai-phep-thong-tin-ca-nhan-thu-loi-bat-chinh-tien-ti-1851517100.htm

[12] https://bocongan.gov.vn/tin-tuc-su-kien/cong-an-tinh-quang-nam-dieu-tra-thu-doan-cua-cong-ty-mirae-asset-mua-ban-15000-du-lieu-ca-nhan-d17-t33772.html

[13] https://vov.vn/chinh-tri/bo-cong-an-dang-dieu-tra-vu-rao-ban-30-trieu-du-lieu-ca-nhan-post962302.vov

[14] https://nhandan.vn/se-thanh-tra-toan-dien-viec-bao-dam-an-toan-du-lieu-thong-tin-ca-nhan-post723221.html