• Add to Favorites
  • Subscribe
  • Friend us on Facebook
  • Follow Caijing on Twitter

Black Industry Behind Internet Data Leaks

01-17 15:05 Caijing
“Almost all major websites suffered large-scale data leaks.” Few in the industry pay attention to code security. The privacy of countless netizens was invaded as a result of the leaks.

By staff reporters He Tao and Li Xiangning

A series of data leaks dubbed by the media as “the biggest leaks in the history of China’s Internet industry” occurred at the end of 2011, revealing the vulnerability of Internet security in China.

Since Dec. 21, 2011, domestic websites including CSDN (a website for programmers), Tianya (an online community), Baihe (a dating website), and Renren (a social network) have been drawn into the user data leak incident. Later, alleged data leaks at e-commerce sites such as Alipay, Dangdang, and 360buy coupled with rumored leaks of Internet banking users’ account information at Bank of Communications and China Minsheng Banking Corp., Ltd. pushed the incident to a climax. For a time, it was difficult to distinguish between the rumors and reality, causing many to panic.

An official investigation discovered many of the alleged leaks were exaggerated or even made up, and some leaks were found to be insider jobs; while two leaks which were the result of computer hacking date back to 2009, said the press office under the State Council.

The storm created as a result of the data leak incident seems to be ebbing. Still, the security of online information is still a delicate matter in China, thereby presenting an urgent need for introspection. How can this black industry behind Internet data leaks exist? How should China deal with the industrial chain that starts with computer hacking? Who should be held accountable for user data leaks, and how? How can rule by law in China’s Internet industry be consolidated?

Information security experts told Caijing that prior to this data leak incident, the attackers must have acquired a large amount of database resources. “It is entirely possible that the attackers had seized more user databases than which have been exposed.” Some experts even contended that “Almost all major websites suffered large-scale data leaks.” It is just that some of the websites chose not to disclose the data leaks, fearing it may smear their reputations.

The threats to the security of online information come down to four aspects:

First, disregard for data security. The password programming of many domestic websites doesn’t undergo strict security examination before it services web users. Few in the industry pay attention to code security.

Second, domestic websites’ investment in information security is dangerously low. China’s information security market as a percentage of the global market is a single digit. In addition, China’s investment in information security accounts for a much smaller percentage of total investment in information systems compared with advanced countries.

Third, the already small investment in information security is unevenly distributed. Internet giants which have established large security operations and maintenance teams even compete with security software vendors for talent; while most small and medium-sized sites generally invest so little in information security that they have no specialized data security personnel.

Fourth, the country currently has over 100 laws and regulations with provisions on online information security, of which there are specialized laws and regulations such as Decision of the Standing Committee of the National People's Congress on Preserving Computer Network Security, Regulation on Protection of Computer Information Systems Security, and Regulation on Internet Information Service as well as more general laws such as Constitution, Criminal Law, State Security Law, Law on Guarding State Secrets, and Law on Administrative Penalties for Public Security.

In addition, authorities responsible for supervising information security such as the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, National Administration for the Protection of State Secrets (NAPSS), and State Cryptography Administration have all issued departmental rules or relevant regulatory documents.

The problem is that the laws and regulations are scattered and often overlap. Also, the legislative body of these laws and regulations are at a low level of the hierarchy, and no specialized comprehensive information security law exists to regulate people’s behavior on the Internet and explicitly stipulate the responsibilities and obligations born by users and enterprises.

Nevertheless, data stored in the Internet banking system is relatively safe for now. Still, the privacy of countless netizens was invaded as a result of the leaks. Victims may now receive more junk mail, spam and cold calls, and could even encounter more targeted scams devised by fraudsters.

“Websites by definition are not safe, whether domestic sites or foreign ones. You can only try your best to control the source of information. Beyond that, it is basically out of your control,” said one network security expert. 

Full article in Chinese: http://magazine.caijing.com.cn/2012-01-16/111619471.html

Editors’ Picks »