According to the first financial report "Human Flesh Unboxing Survey: Tens of Thousands of Platform Members, About 30 Kinds of Privacy Information Publicly Advertised", there are many participants in "Human Flesh Unboxing", and more than 30 kinds of personal privacy are publicly sold. How exactly does a large amount of personal privacy get leaked and uploaded to the Internet?More than 10 reporters from CBN joined forces to conduct an in-depth investigation.
In the Internet era, the risk of privacy leakage is everywhere.
In the early days of "human flesh unboxing", celebrities and Internet celebrities were the biggest victims, and celebrities and Internet celebrities relatively owned and could use a lot of social resources, why did they still become victims of "human flesh unboxing"?
I have worked in a performance company for many years, and at that time, the flights, hotels and other schedules of two of our top artists were leaked, and it was someone in the fan group who bought the artist's ID number and some personal information, and then some fans squatted at the door of the artist's house at 3 o'clock in the morning, and then our artist personally persuaded the fans to go home. There are also some fans who check the flight through the artist's ID number, and follow the artist or pick up the airport throughout the process. Zhao Hua, who has been engaged in the entertainment industry for many years, told reporters.
So why is the celebrity's personal information leaked?"A lot of fans are also organized, and there are several ways to get artist information or even publicly post it on the Internet. First, the studio flows out information, sometimes some artists need to arrange faces, such as pick-up, so the studio will send the flight information to the fan group station sister in advance, and the station sister will send the information to the fan group;The second is that there is information on scalpers who specialize in ** artists;The third is that after fans obtain the artist's ID card or other personal information, they will further 'decode' it themselves, such as going to the airline to check the flight after getting the artist's ID number. A long-time activist in the fandom told the first financial reporter.
Where does the information come from for scalpers who have mastered celebrity information?According to a person familiar with the matter, through some unboxing platforms, you can pay dozens of yuan for robot inquiries first, obtain basic information such as name, mobile phone number, ID card, etc., and continue to pay fees for advanced inquiries after screening. "Celebrities have a lot of basic information, such as age, birthday, place of origin, etc. are public, and it is not difficult to screen, as long as you spend a little money, you are very likely to buy information, and then scalpers will sell celebrity information through fan groups, etc. ”
In the Internet era, everyone's production and life are becoming more and more digitized, and the Internet and digitalization have made everyone's clothing, food, housing and transportation convenient and fast, and also opened the door for personal privacy to be stolen by lawbreakers with ulterior motives.
Booking flights and hotels requires a lot of personal information, which is retained on all major travel platforms. The resumption of the visa delivery service will go through multiple links. The visa information itself includes the ID number, home address, property situation, work unit, spouse information, household registration information, etc. The first financial reporter recently found that because a visa requires a certain qualification, some tourism companies are cooperating with ** businessmen, and the ** business sends visas, and in this process, the visa information of tourists is sometimes sent directly to the work group for the next step of the process.
The visa should be one-to-one service, large travel companies have a clear system, online must be confidential, offline information filling in the form is limited to the visa department, not outflow, there are spot checks every month, and the paper ** and the original documents must be locked after the employee leaves the workstation. Sending visitor information directly to the group for processing is at risk of information leakage. Zhou Weihong, deputy general manager of Spring and Autumn Tourism, said.
When it comes to the leakage of room opening information, the hotel database comes to mind at the first time. A hotel manager told the first financial reporter that large hotel companies have firewalls and security management systems, for example, most employees do not have the authority to go to the customer data, and if you need to retrieve the data, there will be traces in the system, which can be traced. But this is not without loopholes, the reporter recently saw a brand hotel front desk staff privately and quietly with a mobile phone to take a picture of the guest's ID card information, it is understood that this kind of behavior is not allowed, but in real life does happen.
In the travel process, information leakage by airlines is also a major problem. According to the reporter's understanding, in the past few years, search on the search engine with keywords such as "air ticket data", "flight data", "internal data", etc., you can show a large number of public ** flight information QQ group. If you contact the information seller in the group on the grounds of purchasing booking information, you will be told that the ** of each message ranges from a few yuan to more than ten yuan, which can be obtained by any airline, and the information includes the customer's name, ID number, mobile phone number and boarding number. Nowadays, the chain of sales has become less blatant, but passengers' personal and flight information can still be leaked.
In April 2015, the Jinan District Procuratorate indicted 18 suspects, including Gao, on charges that they used their jobs at airlines to resell passenger information for profit.
On the "human flesh unboxing" platform, vehicles and real estate information of similar importance to air tickets and room opening information are how this information was leaked, the CBN reporter investigated.
Zhang Tao has been very troubled recently, and the Volkswagen brand car insurance under her name is about to be renewed, so she has to receive sales from the insurance company almost every day in the past two months**. A salesman revealed that when buying insurance for a new car, 4S stores tend to calculate ** on major insurance platforms, which will make the owner's information leave traces in major insurance companies, because car insurance is a national insurance claim, so the information system will be shared across the country.
At present, there are a lot of vehicle condition data queries on the Internet, such as "check the car condition", "national vehicle unified query", etc., netizens can pay to obtain the corresponding information, including license plate number check vehicle, frame number check vehicle, frame number check license plate, vehicle insurance information query, vehicle query under the name, violation record query, vehicle status query, etc. In the car owner verification query project, after the reporter enters the vehicle type, license plate number, and the owner's name, the relevant ** will jump out of the payment link, and the information about whether the owner and the vehicle information match will pop up after payment.
Property information is easily accessible to those who are interested.
A real estate agency practitioner told the first financial reporter that in the process of buying and selling commercial housing, the personal information of the owner is almost "transparent". "For example, after the handover of the building, the owner information of the entire real estate will soon be in the hands of the sales staff of downstream businesses such as home decoration, home appliances, and cabinets. ”
In addition, real estate sales will also be with each other's customer lists. Many owners who view the property will have this experience: after going to a real estate to see the property and staying, soon the sales promotion of other real estate sales in the surrounding area or even the whole city will follow.
*Customer information** is also different, generally speaking, it will be priced according to the customer circle, such as the customer information of luxury residential communities, which is usually more expensive than the customer information of general real estate.
Mr. Zuo set up a property about 15 years ago, and at that time he found a few small intermediary stores to list it. For more than a decade since the sale of the house, Mr. Zuo has been harassed**, and he believes that this is because his personal information has been leaked.
A large intermediary insiders revealed that because real estate transactions generally involve a large amount of money, this kind of customer information is considered to be very valuable, in the process of buying and selling real estate, there will indeed be a risk of personal information leakage, which is generally divided into three situations - one is that some real estate agents in order to seek benefits, resell customer information in their hands, many years ago there was a broker reselling information case within the company, and finally the company called the police to deal with it;Second, there are hackers who specialize in attacking large intermediary companies or housing transactions, and once the system is breached, a large amount of customer information can be obtained, which eventually flows to the black reselling industry chainThird, some self-employed or small company practitioners of real estate expansion, also known as "real estate bees", will stay outside the more popular sales offices and large intermediary stores, and further collect more customer information by recording personal information such as the license plate number of visiting customers.
It is worth noting that winning the lottery is also a hidden way for personal information to be leaked.
After determining the list of winners, we need to ask the winners** to fill in personal information, including name, ID card, home address, etc., and then mail the prizes. When we collect this information, it will be transmitted to the company's database, although not everyone can ** content, but there are many people with ** permissions, I know that there are colleagues ** guest information data. At the moment of his ** data, the guest information has been leaked. The relevant person in charge of a consulting company said.
Another part of the elderly will also encounter similar incidents. Li Xu's anti-fraud team revealed to the first financial reporter that some elderly people will receive fraud**, and the other party knows their situation well, because some fraud groups will first engage in a project, so that the elderly feel that there are many benefits, and then induce the elderly to take the initiative to fill in their personal information**. After obtaining the information of the elderly, these gangs began to contact the elderly to commit fraud.
According to a criminal verdict from the People's Court of Xiangcheng County, Henan Province, Fu and Zhang, for the purpose of making profits, searched for "local push group" through QQ, contacted Shangjia to accept the "ground push" task, and invited the passing masses to scan the code to enter the WeChat group for the purpose of making profits, and then used a WeChat group of about 15 yuan to go online with the WeChat group. As a result, some residents were unknowingly pulled into the WeChat group and defrauded of more than 30,000 yuan by criminals. According to the judgment, for the crime of infringing on citizens' personal information, defendants Zhang and Fu were sentenced to 2 years imprisonment and 2 years of probation, 3 years imprisonment and 3 years of probation, each fined 10,000 yuan, and returned their illegal gains.
Abuse of power by insiders.
In November 2020, the Handan Municipal Public Security Bureau issued a news that the criminals stole personal information by renting the YTO employee system account for a fee, and then resold it to downstream criminals, and the suspects involved in the case involved in Hebei, Henan, Shandong and other provinces across the country, with an amount of more than 120 yuan, and have been caught. The reporter learned from a number of express delivery companies and relevant industry insiders that the leakage of express user information is not only YTO, but also involves many express companies and participants in the business chain, and has formed a "black industry" chain of selling express user information. In this chain, there are not only employees of express delivery companies, but also merchants who do "overseas shopping" and scalpers who sell information at all levels. They will contain the name, address, ** and other information of the courier customer**, and the price of each piece ranges from a few cents to a few yuan.
The employees of the express delivery company mentioned here are not necessarily the personnel involved in information management at the headquarters of the express company, but the franchise outlets of the express company. Most of the private express delivery companies that have grown up are expanding rapidly through the franchise system. In these express delivery companies, the headquarters is to the waybill pre-charge as the main income**, franchisees for each single express, to pay 1 yuan or more to the headquarters of the waybill fee. The larger the number of franchisees and the greater the delivery volume, the more waybills will be sold by the headquarters and the more revenue will be. Franchisees around the country are the ones who are really responsible for the cost and best of express delivery. They have to buy their own vehicles, recruit employees, or subcontract subordinate sites. Therefore, the express delivery that consumers usually see is not formulated by the headquarters of the express company, but the franchise outlets in various places are determined by themselves, and the franchisees need to be responsible for their own profits and losses in their own regions. This has also led some franchisees and even their contractors, in order to get more benefits, to join forces with scalpers to ** user information and earn more profits than sending express delivery.
On the China Judgment Online, the first financial reporter combed through the relevant judgments of "infringement of citizens' personal information" in recent years and found that in many provinces and cities, there have been cases of leakage of personal information by internal employees of communication operators' business halls and ** merchants. According to a number of judgments, from November 2020 to July 2021, a number of employees such as Xu Moumou, Lu Moumou, Li Moumou, and Chen Moumou of the Natong Business Hall of China Mobile Guangxi Longan Branch took advantage of the identity of the staff to privately send the customer's mobile phone number and verification code to WeChat groups such as "Douyin New User Group", "Old User Group", and "JD Enterprise" in the process of providing business services to customers, and used them to register various Internet platform accounts. A group of "mobile phone number + verification code" made a profit ranging from 2 yuan to 16 yuan, and ** made a profit ranging from more than 2,000 yuan to more than 7,000 yuan, and was finally sanctioned by law.
Laws and regulations clearly stipulate that public employees shall not illegally obtain citizens' personal information when performing their duties, but in fact, there are still a small number of public employees who know the law and violate the law to obtain and improve citizens' personal information for profit. The first financial reporter learned that some of the privacy information involved in some "human flesh unboxing" cases may be individual public officials.
In recent years, some localities have disclosed cases of public officials illegally obtaining citizens' personal information.
In July 2022, the Chengdu Municipal Commission for Discipline Inspection and Supervision notified 10 typical cases of "ten major fields", one of which was the illegal acquisition and ** of citizens' personal information by He Mou, a first-level police officer of the Jiang Police Station of the Dayi County Public Security Bureau. Between December 2019 and November 2020, He took advantage of his position to privately use digital certificates and mobile police terminals issued by the unit to illegally inquire about citizens' personal information such as vehicle registration and household registration** to others, and obtained a total of 558818 illegal gains28 yuan. In June 2022, He was dismissed from public office. He was sentenced to three years and eight months in prison and fined 300,000 yuan for the crime of infringing on citizens' personal information.
In March 2020, the Intermediate People's Court of Hengyang City, Hunan Province, announced the trial of a case. Xiao was formerly a police officer of the Criminal Investigation Detachment of the Hengyang City Public Security Bureau, and at the beginning of 2017, the defendant Xiao Zengcan was looking for opportunities to make money everywhere due to failed investment and economic constraints. Xiao used his authority to negotiate with the buyer that the personal whereabouts and trajectory information of citizens should be 300 yuan (code) for each, the vehicle trajectory information should be 100 yuan (code) for each item, and the citizen's accommodation information (code) should be traded at the rate of 100 yuan each. From March 2017 to December 2018, Xiao stole citizens' personal information** to others, and the illegal gains totaled RMB 181484438 yuan, Xiao committed the crime of infringing on citizens' personal information, and was sentenced to four years and six months in prison and fined 1.82 million yuan.
On October 15, 2019, the Fenggang Court in Guizhou Province openly tried a criminal case of infringing on citizens' personal information. Among the 15 defendants, five of them are auxiliary police officers from the traffic police departments of the public security bureaus of Hubei and Sichuan provinces. The court found that the defendants Chen Moudan, Liu Mou, Wang Mou, Yi Mou, and Guan Mou were all auxiliary police officers of the traffic police departments of the public security bureaus of Hubei and Sichuan provinces, and from March to May 2019, the five auxiliary police officers separately reached an intention with others to inquire about citizens' personal information**. As a result, the five auxiliary police officers logged in to the public security police system many times and illegally inquired into the detailed information of citizens' vehicle files and household registrations in Guizhou, Hubei, Yunnan and other provinces.
The court ascertained that the defendants Yi and Guan used the personal information of citizens who were illegally queried to the defendants Chen and Zhang through WeChat, and the two defendants gave the information to the defendant Xiong, and according to the above method, Xiong gave the information to the defendants Fang Mouxian, Liu Mouwei, Liu Mouwei and others. Fang Mouxian, Liu Mouwei, Luo Moudi and other 15 people illegally made profits ranging from 173358 yuan to 5,000 yuan through illegal inquiries and reselling citizens' personal information across provinces.
After trial, the court sentenced the defendants Fang Mouxian, Liu Mouwei, Luo Moudi, and 15 others to three years and two months imprisonment to five months of criminal detention, and fines ranging from 100,000 to 5,000 yuan.
Article 253 of the Criminal Law of the People's Republic of China stipulates: Whoever violates relevant state provisions by providing citizens' personal information to others or others, and the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or short-term detention, and/or a fine;where the circumstances are especially serious, the sentence is between three and seven years imprisonment and a concurrent fine.
The Fenggang People's Court of Guizhou Province reminded in public reports that those who violate relevant state regulations and provide citizens' personal information obtained in the course of performing their duties or providing services to others shall be given a heavier punishment in accordance with the provisions of the preceding paragraph.
How to ensure data security?
Taking stock of the various ways of personal privacy leakage above, Guo Tao, a senior artificial intelligence expert, told the first financial reporter: "Information leakage such as 'human flesh unboxing' is usually generated through the following channels and platforms, one is the social ** platform, where users may not be aware of the risks when sharing personal information, or do not take adequate security measures. The second is e-commerce platforms and logistics companies, where some merchants or staff collect users' personal information and disclose it to third parties without authorization. The third is a data leakage, when an organization's or enterprise's data is hacked or leaked by insiders, the user's personal information may be exposed. The fourth is malware and phishing attacks, where hackers trick users into entering personal information by sending malicious links or pretending to be legitimate**, so as to obtain users' sensitive data. To achieve human flesh unboxing, hackers usually need to master certain technical means, including but not limited to social engineeringPhishing: Sending emails or text messages disguised as legitimate** to trick users into clicking on links and revealing personal informationBrute force attacks: Try every possible password combination until you find the right one;SQL injection: exploiting a vulnerability in a program to insert malicious information to obtain sensitive information. “
From a technical point of view, network security expert Tian Jiyun believes that there are many links in the leakage of personal privacy information, including platforms, such as **, APP, government affairs, online shopping, express delivery, hotels, training, schools, insurance, travel, automobiles, housing and other transaction management departments. Platforms that collect and store personal information and applications that call usage information may cause information leakage. But technology is implemented by humans. Do individuals and organizations deploy or use the technology?Do individuals and organizations use it in accordance with technical requirements?It's all something that needs to be constantly observed.
The Cybersecurity Law, which came into effect in June 2017, the Data Security Law implemented in September, and the Personal Information Protection** implemented in November 2017, have become relatively sound in terms of laws on the protection of personal information. The relevant regulatory authorities should continue to issue more detailed and targeted norms or laws. The Anti-Telecom Network Fraud Law, which was implemented in December 2022, and the Regulations on the Protection of Minors Online, which was passed in September 2023, are examples. In particular, the Anti-Telecommunications Network Fraud Law has clear requirements and penalties for relevant departments and individuals who hold private information. This shows that the regulatory authorities also recognize that the 'internal ghost' is one of the important nodes for leaking users' private information. Tian Jiyun thinks.
In terms of cracking down on "internal ghosts", in 2016, 70 large domestic express logistics companies jointly established a "blacklist" query system for express logistics, and blacklisted 12 violations of laws and regulations, such as stealing express mail, leaking customer information, and reselling customer information. Enterprises participating in the "blacklist" system of express logistics companies promise not to use couriers on the "blacklist" within 5 years. Ma Chen, senior manager of the information security department of Zhongtong Express Technology and Information Center, said that express companies are increasingly using privacy face sheets to desensitize consumers' names, addresses and other personal information.
Meituan said that since the implementation of the Data Security Law and the Personal Information Protection Law, Meituan has strictly followed the requirements of laws and regulations, focusing on basic principles such as "notification-consent" and "minimum-necessity", and has protected users' personal information rights and interests such as the right to know and the right to choose by promoting the iterative optimization of product privacy management functions and improving the transparency of privacy rules , compliance management of 13 types of privacy data.
To prevent 'human flesh from opening the box', it is necessary for individuals, enterprises, and ** to work together. First of all, individuals, as data owners, should pay attention to protecting personal privacy, enhance their awareness of personal privacy protection, and ensure sufficient vigilance against the sensitive information of themselves and their families. As a data processor, enterprises should respect the relevant privacy protection requirements, and technically desensitize sensitive information such as users' mobile phone numbers internally to prevent sensitive information from being leaked, and do a good job in controlling the permission of sensitive information and making it traceable to leakageIn addition, it is also necessary to strengthen the information security education of employees internally, cultivate the basic awareness that employees will be caught, and avoid the occurrence of internal sales of personal privacy. ** The supervision of platform companies holding a large amount of personal data should be strengthened legislatively, the crackdown on illegal 'human flesh unboxing' should be strengthened in terms of policies and laws, and individuals and enterprises who leak personal privacy should be severely punished. Yuan Bo, senior engineer of communications, analyzed.
Zhao Hua and Zhang Tao are pseudonyms in the article, and reporter Zhang Xinchen also contributed to this article).