When eating hot pot, as a member, you should pay attention to the fact that your mobile phone number and other personal information are "running naked".
On January 29, the Cyberspace Administration of Shanghai (CAC) announced that it had imposed administrative penalties on a number of well-known enterprises that failed to effectively fulfill their responsibilities for the protection of consumers' personal information and had serious problems. The reporter learned through an interview that a well-known hot pot chain brand, as the "top stream" in the hot pot industry, is impressively listed.
According to the Shanghai Municipal Cyberspace Administration of China, the violations of laws and regulations of the above-mentioned well-known hot pot chain brands are mainly reflected in two links: in the process of collecting personal information, its WeChat mini-program is still forcibly requesting precise location information; In the process of storing personal information, it has been established in the past 30 years500 million pieces of personal information of members and 180,000 pieces of information of company employees are not encrypted and stored, and "they have been in a state of 'streaking' for many years."
This is the most immediate risk to consumers, and once the information is leaked, it may cause irreparable damage. The relevant person in charge of the Shanghai Municipal Cyberspace Administration pointed out.
Membership information for "Streak".
According to the Cyberspace Administration of Shanghai, the investigation of the violations of laws and regulations of the above-mentioned well-known hot pot chain brands is from the end of October to November 2023. In order to effectively consolidate the effectiveness of the special law enforcement action for the protection of personal information rights and interests of "Liangjian Pujiang", the Shanghai Municipal Cyberspace Administration launched a "retrospective" law enforcement inspection, and the hot pot brand was one of the targets of law enforcement inspection.
In the notice released to the public, the Shanghai Municipal Cyberspace Administration said that the hot pot brand 1500 million pieces of personal information of members and 180,000 pieces of employee information were not encrypted.
The Paper further learned that 1The 500 million pieces of members' personal information are the members in Chinese mainland collected since the establishment of the hot pot brand, mainly the members' mobile phone numbers, email numbers, etc. The 180,000 pieces of employee personal information even include sensitive personal information such as names, ID numbers, mobile phone numbers, home addresses, etc.
According to public information, as a well-known chain brand, the hot pot brand has been established for nearly 30 years, and there are more than 1,000 restaurants in Chinese mainland.
According to the analysis of unnamed industry experts, unencrypted personal information is in danger of being stolen by "ghosts". The real mobile phone numbers collected through the leakage of "inner ghosts" can be used to understand the consumption habits of members. If combined with other data sources sold on the "dark web", users can be profiled more accurately.
The Shanghai Municipal Cyberspace Administration added that the leaked personal information may also be used for telecom fraud, and that "through the analysis and judgment of personal information, the people involved in the wire fraud can determine whether you belong to a special group of people who are easily deceived."
Anomie "super admins".
If you say 1500 million pieces of member personal information and 180,000 pieces of employee information are at risk of leakage because they are not encrypted, and the risk of information leakage is further exacerbated by the "super administrator" given by the well-known hot pot chain brand.
Because of the highest privileges and unrestricted full access, so-called "super admins" are generally set up with a strict number of them. The Paper learned from the Shanghai Municipal Cyberspace Administration that when inspecting the above-mentioned hot pot brand, technicians found that there were more than 20 "super administrator" accounts on its member operation and management platform.
The 'super administrators' set up in the enterprise operation system are generally 1-2, and they are dedicated to management. The hot pot brand obviously has unreasonable distribution of operating authority. The technical staff involved in the inspection told The Paper that this move has exacerbated the risk of leakage of members' personal information, and "the probability of leakage of members' personal information will suddenly become more than 1:20."
As for why there are so many "super administrators", the hot pot brand said that it is for system testing needs.
As for the 180,000 pieces of personal information of employees, according to reports, some accounts of the hot pot brand's personnel system can also find sensitive personal information including ID numbers, home addresses, etc.
In addition, The Paper learned that in the process of collecting personal information, the hot pot brand's WeChat mini-program also forced users to agree to open location permissions to obtain accurate location information when filling in the delivery address information, otherwise the delivery address could not be added, and there was a problem of mandatory request for unnecessary permissions.
This violation of laws and regulations has now been rectified. The Paper recently clicked on the "Delivery Address" column in its delivery WeChat Mini Program and found that the current relevant Mini Program is no longer mandatory to collect accurate location information, and users can manually select the location or fill in the delivery address.
There is an urgent need for increased compliance awareness
In response to the illegal acts verified by the hot pot brand, the relevant person in charge of the Shanghai Municipal Cyberspace Administration emphasized that it is important for enterprises to improve the compliance awareness of personal information security protection. "The larger the amount of information collected by the enterprise and the more sensitive the content of the information collected, the stricter the legal responsibility of the enterprise should be. The lack of corporate compliance awareness means that the risk of consumers' personal information being leaked is greater. ”
At the same time, the relevant person in charge of the Shanghai Municipal Cyberspace Administration said that personal information is protected by law and related to vital interests, and no organization or individual may infringe upon it. Through the release of typical cases, the Cyberspace Administration of Shanghai Municipality hopes to serve as a warning and education significance for the industry and relevant enterprises, which will help enterprises strengthen their strengths and complement their weaknesses, improve their compliance awareness of protecting consumers' personal information, and earnestly fulfill their obligations and legal responsibilities for personal information protection.
According to the data, in the "Bright Sword Pujiang" special action launched in June 2023, the cyberspace and market supervision departments at the two levels in Shanghai have inspected a total of 6,043 enterprises, interviewed more than 520 enterprises in accordance with the law, and investigated and dealt with more than 50 cases of various personal information protection.
The Cyberspace Administration of Shanghai said that the next step will be to thoroughly implement the requirements of laws and regulations such as personal information protection, continue to strengthen personal information protection, urge enterprises to earnestly fulfill their main responsibilities, and resolutely investigate and deal with enterprises with serious problems and repeated refusal to change their ways.
The Cyberspace Administration of Shanghai also reminded consumers that they can actively implement the "six nos" suggestions put forward by the Cyberspace Administration of Shanghai in their daily ordering, so that "the privacy policy is not informed and will not continue", "unnecessary personal information will not be provided", "one-click number is not allowed", "'tempted' members are not impulsive", and "targeted marketing advertisements are not accepted".
According to The Paper.