Friday, Jul 28, 2017, 8:54 PM CST – China

Society

Data Leakage

Social Insecurity

A recent report indicates serious security vulnerabilities in the government’s social security data banks – who should plug the gaps? NewsChina investigates

On April 22, Butian, one of China’s largest Internet leak detection websites and a product of IT security firm Qihoo360, released its most recent set of data on the safety of China’s social security database. According to the report, since April 2014, 46 loopholes were found in social security databases in 19 provinces, including Zhejiang, Shaanxi, Hebei, Sichuan and Jiangsu. 44 of these loopholes were classified “high-risk,” involving the social security data of a total of 52 million individual citizens, with information relating to more than 10 million people “still at risk” due to unrepaired loopholes.

Facing a public outcry, the Ministry of Human Resources and Social Security (MOHRSS) quickly responded that “the general operation of China’s social security system is stable, and no leakage of the personal information of any Chinese citizen has been found.”

Yet experts say that the existence of such fundamental loopholes is a serious threat to the safety of personal social security information. At the same time, the government’s inaction in the face of the threat and a lack of appropriate legislation is increasing the risk of massive data loss.

Emergency Repairs

Deng Huan, an IT security expert at Butian, told NewsChina that the social security information currently at risk includes a large volume of highly sensitive data, such as identity card numbers and salary details. Were this information to leak, it could be used to commit various forms of identity theft, including credit card fraud and the falsification of IDs.

Though the MOHRSS remains outwardly confident about the security of its system, it has begun carrying out a large-scale emergency repair effort. Shortly after Butian released the data, NewsChina found some previously exposed loopholes had been repaired and others were in the process of being repaired. Many local human resources and social security departments are also urgently auditing their systems.

An official from the Zhejiang provincial Human Resources and Social Security Department told NewsChina that the department had responded proactively to the revelation of security issues, and had found no cases of personal information leakage. “According to information we collected, only Jinhua City in Zhejiang saw an abnormality in its online [social security] system, which was duly repaired,” the official said. Meanwhile, similar departments in Shaanxi Province, Liaoning’s provincial capital Shenyang and Shandong Province’s Yantai City also told NewsChina they had repaired loopholes in their respective systems.

Browsing Butian, NewsChina found that repair work is still being carried out on loopholes in Zhejiang’s Yongkang City, Shanxi Province and Chongqing. Meanwhile, loopholes in the health insurance system in Shaanxi’s Tongchuan City and Jilin’s provincial capital Changchun – the latter involving data on 7.7 million people – remain unrepaired despite being discovered three months ago.

Recent media reports say that 60 percent of the exposed loopholes have not yet been repaired. However, Li Zhongzhen, spokesperson for the MOHRSS, has responded that 40 percent of the loopholes exposed had already been noted and repaired.

Deng Huan told NewsChina that Butian’s platform can only show vulnerable data, but cannot ascertain whether or not any specific social security data has been leaked.

Deng also emphasized that “normal people won’t use these loopholes, but hackers may steal citizens’ personal information through these loopholes for illegal purposes.”

Shortly after these loopholes were exposed, a Chongqing resident using the online handle Shen posted a story online claiming that on February 3, 2015, someone had applied for a social security card using a forged copy of Shen’s identity card, before using it to steal 2,000 yuan (US$322). Shen claimed he had reported this to the police, but the case had yet to be solved.

Government Inaction

The MORHSS claims to have established an information safety monitoring system covering national, provincial and city levels, as well as entrusting the monitoring of real-time national Internet safety detection to a dedicated institution.

However, many experts believe that the root of the problem lies in the failure of local governments to keep pace with the recent rapid development of Internet technology; many government websites are still maintained by traditional institutions or employees with outdated knowledge.

Zhang Weihong, general manager of the Zhejiang Province branch of Chinalabs, a famous cyberspace think tank, pointed out that the government’s information safety technology is vastly inferior to that in use in the private sector. With trade secrets stored in their internal IT systems, “many [private] enterprises spend large amounts of money on Internet security,” Zhang said. “Meanwhile, the limited [IT] expertise of many government employees, as well as improper staffing [practices], have led to security loopholes.”

According to Meng Zhuo, manager of wooyun.org, an Internet loophole whistleblower platform, many government IT data breaches, such as the leakages of weak passwords, are actually very simple to repair. In his opinion, the fact that some loopholes remain vulnerable to attack for months is simply due to government inaction. A manager from Butian also told NewsChina that the company often receives no response after it alerts government departments to vulnerabilities in their own systems.

Legal Loophole

There have long been laws in China governing the protection of citizens’ personal information. China’s Criminal Law requires that the leaking or sale of personal information by government employees carries a sentence of up to three years’ imprisonment and a fine. However, legal experts point out that the regulations in the Criminal Law remain ambiguous. There are increasingly strong calls for the promulgation of a Personal Information Protection Law (PIPL).

As far back as 2003, the National People’s Congress – China’s top legislature – began drafting a PIPL. In recent years the government’s annual “Two Sessions” conferences have heard delegates’ proposals that the approval of a PIPL should be accelerated. However, no concrete results have emerged.

“Presently in China, there are already more than 200 laws and regulations related to the protection of personal information. However, these laws and regulations aim mostly at protecting personal information from direct infringers – those who directly steal, illegally collect, utilize and trade the information,” Zhu Wei, researcher from the Research Center of Law of Communication, China University of Political Science and Law, told NewsChina. “Few of these laws and regulations touch upon the responsibility of the government as a keeper of citizens’ personal information.”

Such legal loopholes have allowed the government to pass the buck when personal information leaks occur – many cases run out of steam if no direct infringement of the law is found.

In 2012, the Standing Committee of the NPC released its “Decision to Strengthen Internet Information Protection,” a document regulating that “related departments should perform the duty of... maintaining information safety, and government employees have the duty to keep personal information secret.”

“The Decision emphasizes the legal responsibility that government takes in the protection of personal information,” said Zhu Wei. “But it still avoids the question of liability if data breaches occur.”

Pang Zhuting, chief strategy officer at Venustech, a leading provider of network security products in China, agreed that related laws and regulations should be clearer about assigning liability in the event of an information leak. He suggested job titles like “chief information safety officer” be created within the government’s social security departments and more investment be made into the construction of an information security system in order to catch up with the rapid development of technology.

Tags:

Editor's Picks

Sex for Snacks

In cities like Shanghai and Chongqing, a handful of high school…[More]

Worked to Death

A growing number of young Chinese white-collar employees are dying of…[More]

TROTSKY IN CHINA

How Communism’s most controversial theorist finally found an audience – in…[More]

What do Chinese People Want?

“I wish I could do what you do.”…[More]

THE HERMIT HUNTER

A student of Buddhism with a keen interest in China’s…[More]

Prize Fighter

Elevated into the State-approved pantheon of great Chinese writers thanks to…[More]

Dams in Distress

In 1975, over 60 dams collapsed after a rainstorm in Zhumadian city, Henan…[More]

Pathologically Politicized

Practitioners at all levels concur that “messy” is the word that…[More]

HIVE MINDED

China’s indigenous honey bee is under threat from both environmental…[More]

The New Class

China’s growing online education market has attracted the attention of…[More]

Exam Boot Camp

A middle school in Anhui province has earned a reputation for…[More]

From Stall to Mall

Taobao’s shift towards a business-to-consumer model has come at a…[More]

In Whose Court?

The failure of the country’s administrative litigation system has prompted…[More]

Tradition on Trial

After Confucianism made the maintenance of inequality between the sexes fundamental…[More]

Inevitable Brutality

The vicious murder of a doctor in a Zhejiang hospital shows…[More]

Progress or Pornography?

A new sex education primer aimed at elementary school-age children has…[More]

Graft Breeds Graft

The gap between the investigation and prosecution of official corruption cases…[More]

Saving Nature

The concept of animal welfare is yet to be widely acknowledged…[More]

Problem Solved?

Former Politburo member Bo Xilai’s public trial sends mixed messages…[More]

BEWILDERING

A 74-year-old man surnamed Xie from Shenyang, Liaoning Province was duped out of 420,000 yuan (US$69,342), despite bank employees’ efforts to…[More]

An Avoidable Tragedy

Poor city planning and lax safety regulations turned a minor gas…[More]

ANGRY

A policeman pulled his gun to dissuade villagers from stealing oranges…[More]

Who Cares?

A new law decrees that all Chinese citizens are now obliged…[More]

Mean Streets

The chengguan system has become the most visible symptom of a…[More]

How do Chinese people live?

So, the bottom line is that Beijing is an expensive place.…[More]

Back in Action

After stagnating for 10 years, China’s SOE reform has fired up…[More]

THE HANGING DEAD

The hanging coffins of the Bo people, a Chinese ethnic minority…[More]

AMUSING

Wang Xun, an archeologist with Peking University, arranged the bones of…[More]

Trust Trip

Embarking on a three-month car journey around China without handing over…[More]

Fading Lights

For those who grew up under the bright lights of China…[More]