What is the responsibility of the company for leaking 400,000 pieces of customer information?
How does the victim make a claim?
The day before yesterday, some media reported that in a recent ministry supervision case, the Handan police found that criminals had colluded with multiple “inner ghosts” of YTO Express, stealing citizens’ personal information through paid renting of YTO’s employee system accounts, and then reselling citizens. Personal information to different downstream criminals.
Informed sources revealed that the number of leaked information exceeded 400,000.
In the morning of November 17, YTO Express responded to the incident and apologized.
The lawyer said that users whose information has been leaked can file a civil compensation claim with the courier company.
Handan Police
1 yuan per piece of citizen information
The amount involved is more than 1.2 million yuan
Recently, in a case involving the supervision of a ministry established by the Anti-fraud Center of the Handan Public Security Bureau in conjunction with the Yongnian District Public Security Bureau of Handan City, criminals colluded with a number of “inner ghosts” from YTO Express and rented YTO’s employee system accounts for a fee. Steal citizens' personal information, and then resell citizens' personal information to different downstream criminals.
The Red Star Capital Bureau was informed that the five-tier structure of the group that illegally obtains and sells citizens’ personal information: the suspect Ma Moujie hired Zhang Mouxing and Gao Mouqiao, and rented Yuantong’s internal employee system account at a daily cost of 500 yuan. Gang member Guo A and Du Moulong entered the logistics system by logging in and renting the system account of Zhao Xing and others to export the express delivery information. The gang member Zhu Mouzhao sorted out the stolen express delivery information and gave it to his associate Lu Moushuo. Lu Moushuo used WeChat, QQ and other methods sell information to areas with high incidence of telecom fraud.
The police said that the suspect involved in Hebei, Henan, Shandong and other provinces and cities across the country, resulting in the leakage of more than 13 million citizens' personal information, involving more than 1.2 million yuan.
It is reported that the five YTO employees involved in the case are located in Yongnian, Jize, and Wu'an in Handan area, and Longyao and Shahe in Xingtai area. There is one person involved in each area. The leaked information includes the sender’s address, name, Six dimensions of telephone number and recipient telephone number, name and address.
If the above six dimensions of information are combined to form one piece of information, the number of information leaked this time actually exceeds 400,000 pieces.
According to Ma Moujie’s confession, he packaged and sold the collected information at a unit price of about 1 yuan.
The Handan Public Security Bureau’s Internet Security Team, together with the Yongnian Internet Security Brigade and the Criminal Police Brigade, set up a task force to conduct investigations. They were divided into three groups to a village in Shahe City, Xingtai City, a residential area in Shahe City, and a village and town in Zhongmou County, Henan Province, on September 7. The suspects Zhang Xing, Gao Xiao and Ma Xie were arrested in one fell swoop.
At present, the case is still under investigation.
YTO response
Risk control platform found abnormal operation of employee account
The company took the initiative to report the crime and the suspect has been arrested
In the morning of November 17, YTO responded via its official Weibo that at the end of July this year, the real-time risk control system of the company's headquarters monitored that YTO Express's affiliated branches in Hebei province had two accounts that had abnormal queries on the waybill information other than the branch. , It was judged to be an obvious abnormal operation, the risk account was closed as soon as possible, and an investigation team consisting of quality control, security, information center, network management, and Hebei Province was immediately established to conduct evidence-based investigations on the incident.
The investigation found that it is suspected that individual employees of the franchise outlets colluded with external criminals, using employee accounts and illegal third-party tools to steal waybill information, resulting in information leakage.
The company subsequently reported the case to the local public security department and fully cooperated with the investigation.
The relevant suspect was arrested in September.
For more information about this case, please refer to the public security agency's disclosure.
YTO Express stated that it apologizes for the problems exposed in this case.
The company will continue to improve the information security risk control system through "system + technology" means, and monitor internal accounts in real time to actively discover violations of laws and regulations.
At the same time, efforts are made to enhance the awareness of operating in accordance with the law and information security of franchised outlets, and to better cooperate with public security organs to crack down on illegal acts involving user information security.
YTO also released mailboxes and telephones for supervision by the general public.
YTO said that the case was first discovered by the information security risk control system.
The relevant person in charge of YTO introduced to the Red Star Capital Bureau that the information security risk control platform conducts regular monitoring of various operations of the information system, promptly detects various violations, and proactively warns of possible information leakage incidents.
For example, user behavior analysis and early warning, multi-dimensional portraits of employee operating behaviors, and timely warning of possible risks through dynamic behavior analysis; risk warning and blocking, automatic monitoring of high-risk behaviors in various information systems, according to custom rules Alerts on risky behaviors in a timely manner, and at the same time alerts and automatically blocks existing high-risk behaviors. "This security incident is that the risk control platform automatically detects abnormal operations on employee accounts and processes them automatically."
This is not the first time that the express industry has encountered customer information leakage
In November 2012, some media reported that the information of the express tracking numbers of many express companies including Shentong, YTO, and Zhongtong was leaked on a large scale, and the tracking numbers were put on the Internet for public sale, and the prices ranged from 0.4 to 2 yuan. .
The website that sells the order number also provides blank copies of the courier companies and free carbon paper.
In October 2013, it was exposed by the media that nearly a million pieces of YTO Express individual information can not only be purchased online, but the tracking number data information can also be updated 24 hours a day.
From July 2018 to May 2019, the defendant Li Moucheng used crawler software to illegally steal from the YTO Express Co., Ltd. courier collection and missing items from the YTO Express Co., Ltd. express delivery information, and sold it to Lin Moujian, an outsider (for infringement) The crime of citizens’ personal information has been sentenced by the Xinluo District Court of Longyan City, Fujian Province), and illegally earned more than RMB 1 million.
lawyer
Courier companies should be held accountable for improper storage of customer information
Lawyer Wang Xiaoying of Hualu.com, who has been concerned about network information security for many years, told the Red Star Capital Bureau that if consumers' personal information is leaked through the way of express tracking number, consumers can file a lawsuit with the express company for compensation.
Consumers have at least two subjects that can sue, one is the employees of the courier company that resells the courier number and personal information.
Article 253 of the Criminal Law of the People’s Republic of China stipulates that the staff of state agencies or financial, telecommunications, transportation, education, medical and other entities shall violate national regulations and deprive them of the gains obtained in the course of performing their duties or providing services. Where the circumstances of selling or illegally providing citizens’ personal information to others are serious, they shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, together with a fine or a fine.
Anyone who steals or illegally obtains the above-mentioned information by other means shall be punished in accordance with the provisions of the preceding paragraph if the circumstances are serious.
In addition, even if the subject of reselling information is an employee, but the courier company is jointly liable for improper storage of customer information and lax management, it will also be sued in court.
Because the express company has the responsibility to keep the customer's personal information confidential, according to the contract law, leaks will be held accountable.
Lawyer Zou Hui of Hualv.com told the Red Star Capital Bureau that users must send and receive express delivery with real names, and express delivery companies must strictly protect citizens' personal information.
The "Civil Code" set up a special chapter to regulate privacy and personal information protection, the "Criminal Law Amendment" added "crime of infringing on citizens' personal information" and other crimes, the "Network Security Law" established the principle of personal information protection, and the "Consumer Rights Protection Law" Clarify the protection obligations of "providers of goods and services" to consumers' personal information.
According to relevant laws, users whose information has been leaked can file a civil compensation claim with the courier company.
Chengdu Commercial Daily-Red Star News Reporter Wu Danruo