An incoming call with an unknown caller from outside of Vietnam. Photo by VnExpress/Luu QuyMinh Huy, a university student in Ho Chi Minh City, said he and his family have been terrorized by phone calls demanding repayment of loans he never took.
Someone has been calling Huy repeatedly over the past month, saying he owed money with high interest that will balloon to tens of millions of dong (VND10 million= $427.26) if it is not paid back quickly. When he denied ever using the service, the caller brought out a screenshot of an apparent contract with accurate personal information like ID card numbers, phone numbers and email addresses, even relevant information on Huy’s family members.
“This is information I’ve shared with multiple services online when I signed up for various accounts, but I have never submitted them to any credit service,” Huy said.
He suspects that his information might have been stored by some companies and then stolen by someone else, who used them for credit services.
Low public awareness, lax data management and insufficient security measures have contributed to the leakage of personal data by millions of Vietnamese. And once they are out on the Internet, wiping them off is almost impossible.
Do Huong of the northern Vinh Phuc Province said she has only been acquainted with the Internet and smartphones over the past five years. She rarely uses online services that require personal info, but does sign up for discount programs.
“Whenever a shop has a discount program, I would give them the information they requested. They are usually phone numbers and addresses. Sometimes when I win prizes, they would request me to take a photo of my personal ID card as part of the procedure,” Huong said.
Last month, she received a phone call from an unknown number. The caller said Huong is suspected of involvement in illegal activities. They claimed to be authorities and accurately gave her full name and ID card numbers.
“I was so afraid and did nearly everything they asked,” Huong said. “One of the calls asked me submit my bank account info. Luckily, a relative discovered what was happening and reassured me, saying it was a scam. I would have given all my money to the scammer otherwise,” she added.
Huy and Huong are among many victims of personal data leakage incidents that have come to light lately. In a report earlier this month, Minister of Public Security To Lam said over two-thirds of the Vietnamese population have their personal data collected and shared online.
Lam said personal data leakage was one of the most pressing cybersecurity issues at present. Leaked data include personal information like names, gender, date of birth and addresses, ID card numbers, phone numbers and even bank account numbers.
People are not yet fully aware about the importance of protecting their personal data online, and are willing to trade it for “technological conveniences.” On social media, thousands still provide their phone numbers and addresses under threads that promise them prizes like cars and motorbikes, he added.
On the other hand, businesses collect their customers’ personal data for business purposes and allow third parties to access such data. These companies usually don’t have tight regulations regarding this process, meaning personal data could be sold and disseminated online to multiple parties. For example, someone booking a plane ticket online may receive multiple offers for taxi services immediately after, Lam said.
Insufficient security measures by service providers are another factor behind users’ data being leaked online, he added.
“Many systems don’t pay too much attention to security, leading to lax management and security vulnerabilities,” said Nguyen Minh Duc, founder of cybersecurity firm CyRadar.
In recent times, major Vietnamese service providers have begun to invest heavily in security and protection of users’ data. But not all of them do so, he said.
The fact that information like phone numbers, email addresses and ID card numbers are static makes it difficult for them to be wiped off the Internet once they have been stolen and added to hackers’ databases, he added.
“Another alarming problem is the fact that employees of certain companies are actively allowing their customers’ data to be sold and leaked,” Duc said.
Black data markets
Before it was closed down earlier this year, Raidforum, a forum which displayed databases leaked by hackers, had dozens of threads selling the information of Vietnamese users every year. These included everything from gigabytes of ID card information or even data used for cryptocurrency verification purposes.
A report by the public security ministry said hundreds of individuals and organizations have been involved in the sale of personal data in the 2019-2020 period. The amount of data being collected and illegally sold reached around 1,300 GB, the report said.
In 2019, 50 million records of Vietnamese users were leaked from Facebook servers, and the data was still in circulation even to this day. In July, a hacker put the school data of 30 million Vietnamese online, including emails, phone numbers, full names and addresses. The hacker claimed to have taken the data from a major database by a Vietnamese education website.
Ngo Minh Hieu, founder of an anti-scam cybersecurity project, said that once “data markets” like Raidforum were closed down, data brokers switch to messaging platforms like Telegram thanks to their anonymity and convenience. Through these platforms, databases of all shapes and sizes can be put on sale, he added.
The sale of information can be very easy to pull off, Hieu said, adding that anyone can buy it with a small amount of money. For example, a database with ID card information could be sold with for a mere VND5,000 (21 cents). People can also sort databases using filters for gender or relevancy, he added.
“In some hackers’ forums, data is even shared for free or at dirt-cheap prices. Users are the ones who pay the price for having their data leaked,” Hieu said.
As a former black-hat hacker, Hieu said he understood that victims of data leaks can be terrorized by endless phone calls, messages and spam emails. They can also be tricked through social engineering schemes so more data could be collected for future attacks.
There were victims who’ve had to beg for help after having their data stolen and manipulated because their careers and relationships with other people were being affected, he added.
“Try not to, and think very carefully before you share any personal information online. Because once that information is out on the Internet, it would be very difficult to wipe it off. It will be out of users’ control,” Hieu warned.
The public security ministry is now discussing with the government a decree to protect personal data.
“It would be a key solution to prevent and fight data leaks and sale,” Lam said.