[ad_1]
User information has become “Tang Monk meat”, and express delivery companies have accelerated the construction of “firewalls”. The experts said:
Technology is easy to get “inside the ghost”, hard to prevent
Recently, the media reported that 5 YTO Express employees leased their internal employee system accounts to an external order pool at a price of 500 yuan per day, resulting in the leakage of more than 400,000 user information. On November 17, YTO Express issued a statement stating that the case was discovered and reported by the company on its own initiative, and it apologized for the problems exposed in this case. The company will continue to improve its information security risk control system through “system + technology” means.
In recent years, although user information has received increasing attention, user information has become a coveted item in the black and gray internet industry, and leak incidents continue to occur from time to time. So how should you build a user information security “firewall”?
User information becomes “Tang Monk Meat”
According to the YTO Express statement, at the end of July this year, the company’s headquarters real-time risk control system monitored that two accounts at affiliated points of sale in Hebei Province had abnormal inquiries about the information. of the roadmap of the points of sale, which were considered obviously abnormal operations. The risk account was closed as soon as possible, and at the same time, an investigation team consisting of quality control, security, information center, network administration and other departments, as well as Hebei Province, was established to conduct a forensic investigation into the incident. The investigation found that individual employees at franchise outlets are suspected of colluding with outside criminals, using employee accounts and illegal third-party tools to steal roadmap information, resulting in an information leak. There are around 43,000 confidential fields. The company subsequently reported the case to the local public security department and fully cooperated with the investigation.
The suspect in this case, Ma Moujie, is reported to have hired YTO Express employees to rent her account from the internal employee system at a daily cost of 500 yuan. Another gang member logs into the leased system account, enters the logistics system, exports express delivery information, and then steals The courier information is classified and resold through WeChat, QQ, etc.
The leaked information this time includes 6 dimensions of the sender’s address, the name, the phone number and the phone number, the recipient’s name and address. According to Ma Moujie’s confession, he packaged and sold the collected information at a unit price of approximately 1 yuan.
“I often get fraudulent calls, saying exactly my name, address, recent online purchases, and shipping address, so I wonder where they got my information from.” A clerical worker living in Xisanhuan, Beijing Ms. Qiu complained to reporters recently. The reporter learned that many people have received fraudulent calls with such accurate information, feeling that their information has become “the flesh of Tang Seng.”
Operational management faces challenges
In fact, it is not uncommon for messaging company employees to act as “inside ghosts” to leak user information. In September 2019, in a case discovered by Nanjing police, 13 suspects and 6 couriers used their posts to steal user data from the courier company they worked for, and the amount involved was 12 million yuan.
Liao Huaixue, a lawyer with Taihetai Law Firm, told the Workers’ Daily that according to relevant laws and regulations, the criteria for judging personal information is identification, that is, as long as you can directly or indirectly identify the true information of identity of a specific individual is personal information. Sender information and recipient information displayed in the messaging list belong to the category of personal information. “The express company may have a service contract relationship with the user or with the merchant. Regardless of the relationship, it must comply with the obligation of confidentiality of the user’s personal information.”
So why have express couriers become the areas most affected by the leakage of user information? What nodes do they have to guarantee the security of user information? Liao Huaixue believes that express delivery services involve multiple links, such as receiving and shipping, sorting, transportation, and delivery. In this process, there are a wide range of people communicating with user information, which is prone to regulatory blind spots. There is room for optimization and improvement of express delivery processing procedures and management systems.
A member of the express delivery industry who asked not to be identified told reporters that after the implementation of the express delivery system with real name, the express delivery company has mastered the user’s identity information, which is more sensitive and high value, which can easily lead to the greed of the Internet industry. Express delivery companies that master this information need to improve system security in terms of network services, which not only face more severe technical challenges, but also high costs.
Zhao Xiaomin, an expert in the express delivery industry, believes that many express courier companies have no problem with “firewall” technology and there is a large investment in technology every year. The key is that operations and management still face considerable challenges.
Users must also be aware of the protection of information.
Following the incident of internal employees leaking user information, YTO said it will continue to monitor internal employee accounts in real time and actively discover violations of laws and regulations. At the same time, efforts are being made to increase awareness of operating in accordance with the law and the information security of franchised points of sale, and to better cooperate with public security organs to suppress illegal activities involving the security of user information.
As for technical measures, the construction of security verification should be strengthened, and other verification methods should be supplemented by traditional account and password verification. Strengthen the management of the authority of the information system, and assign only the minimum operating authority and the minimum accessibility to meet the needs of the work. Scope of the information. Furthermore, one-sided concealment can be used to prevent information leakage and to encode and hide users’ personal information. Liao Huaixue believes that in terms of institutional measures, express companies should establish internal control mechanisms for the protection of personal information and sign confidentiality agreements with internal employees. Strictly implement the punishment mechanism for breach of contract; The information security responsibilities of all departments and positions within the company should be clarified, and irrelevant personnel are strictly prohibited from entering and exiting express delivery storage and processing sites; professionals can be arranged for information processing in the reception, classification, transport and delivery links Security monitoring.
Chen Xiaowei, Senior Partner at Beijing Yingke (Shanghai) Law Firm, believes that citizens should have a conscience to protect personal information in their daily lives. For example, express delivery delivery address is better to choose a public place or pickup service station, please do not fill in the detailed address, spot or cut important information before releasing the express package. Once it is discovered that personal information has been leaked, immediately report to the appropriate department or report to the public security department.Reporter Gan Xi
