Exposing "black data": Your personal information has been passed through several hands

[[188851]]

According to feedback from industry insiders, there is an unwritten rule in the industry, which is that you will never come into contact with real buyers and real sellers. Basically, all processes go through several hands. The black market data is so huge that it may exceed the imagination of many people.

"At the end of the year, the black industry was rampant. On the one hand, the company has been improving the security of its risk control systems and data technology. On the other hand, it has also launched an anti-black alliance with the industry to share some identified blacklists." On December 13, a JD insider responded to an interview with a reporter from 21st Century Business Herald.

Starting from the early morning of December 11, news about the suspected data leak of JD.com attracted widespread attention from the market.

JD.com responded urgently that the data originated from the security vulnerability of Struts 2 in 2013, which affected almost all Internet companies, banks and government agencies in China, resulting in a large amount of data leakage. At the same time, it admitted that there are still a small number of users who have not upgraded their account security in time, and there are still certain risks.

This incident has once again put black market transactions in the spotlight, especially at the current point in time, when consumer credit is developing rapidly and the price of personal consumption big data is also rising.

"The history of the black industry is long, and personal consumption big data is part of the personal information category. With the rise of consumer credit, personal consumption big data can be used in many application scenarios and has been hyped up by the black industry in recent years." On December 13, Wei Qianyu, CEO of Shenzhen Xiaoyuren Technology Co., Ltd., revealed in an interview.

Black market transaction paths exposed

"To put it bluntly, black market transactions are actually similar to the drug trading markets seen in movies. First, there is a large group of people responsible for producing 'drugs', and then there are people responsible for collecting information, including buyer information and seller information," Wei Qianyu revealed.

According to feedback from industry insiders, there is an unwritten rule in the industry, which is that you will never come into contact with real buyers and real sellers. Basically, all processes go through several hands. The black market data is so huge that it may exceed the imagination of many people.

On the same day, a person from an anti-fraud big data technology company told the 21st Century Business Herald reporter that the specific path of black market transactions is that the upstream obtains user information, such as account passwords, user identity information, bank card information, etc., by creating virus Trojans, various phishing methods, and hacker attacks. In addition, the acquired data will be further refined and screened through some database collision and database washing methods, and integrated through layers of transactions. Finally, the downstream uses the information for illegal profit-making activities, such as telecommunications fraud, stealing game equipment, and stealing card transactions.

"Of course, there are also many black industry automation auxiliary tool industries, such as code collection platforms, code printing platforms, etc." said the aforementioned person.

On December 23, a person from a large credit reporting company also admitted that at present, due to the numerous links in the acquisition, storage and use of personal information, the offline and online dissemination is hidden and complex, the cost of tracing the source is very high, discovery and investigation are difficult, and the penalties and compensation are small. At the same time, there is huge profit margin. The current law enforcement situation provides a huge speculative space for the black industrial chain.

"In fact, the sale of personal information has become an underground industrial chain. From the illegal collection of personal information at the source and hacker intrusion, to the illegal sale, purchase, resale, and illegal use, illegal infringements may occur in every link of personal information acquisition, storage, and use." The person said.

Up to now, the most common illegal ways of obtaining information are through the Internet, including obtaining and purchasing information through phone numbers, call records, transaction orders, location information, ID card household registration information, home addresses, etc.

"The phenomenon of citizens' personal information being maliciously collected has always existed. For example, when you install certain apps, you will be prompted whether you agree to use your location and whether to send you messages. This is just what we see on the surface." Wei Qianyu said. "In fact, as long as you install this app, your mobile phone number, name, address, email, bank account, social account, uploaded pictures, private photos and other information are only collected and stored in a database. Once this database is attacked or breached by hackers, the information inside will be exposed."

Personal credit information faces excessive collection

It is worth mentioning that in recent years, with the sustained and rapid development of my country's economy, driven by the development of housing credit, auto credit and credit card business, my country's consumer credit has achieved rapid growth. Pure consumer credit has grown to 5 trillion yuan in the past five years, an increase of more than 800 times compared with ten years ago. The rise of consumer credit has prompted credit institutions to have a huge demand for personal information screening.

In the process of using credit information data, multiple links may be involved, including information collectors, providers (including collectors), organizers, processors, storers, inquirers, and users.

On December 13, Guo Yuhang, co-founder and CEO of Dianrong.com, said that the AI ​​(artificial intelligence) big data approach requires the collection of a large amount of personal privacy data, and there is a high possibility of excessive collection, including GPS information about where you go to work every day, where you go home, whether you work overtime, whether you are late, and other various information.

According to the industrial and commercial registration information database, there are approximately 2,000 companies related to "credit reporting services" on the market, of which only about 100 corporate credit reporting agencies have completed registration, and only eight personal credit reporting agencies have been approved by the People's Bank of China for establishment. That is, currently qualified credit reporting agencies account for less than 5% of the entire credit reporting market.

"A group of unlicensed, unregulated and even illegal institutions and individuals are reselling people's information for huge profits, which has caused the vicious consequence of 'bad money driving out good money' for formal credit reporting agencies." In this regard, the person from the aforementioned large credit reporting agency said. "It can be said that the existing regulatory regulations control formal institutions, while the 'wild children' are running wild without anyone to control them."

On December 13, a reporter from 21st Century Business Herald learned from Sesame Credit that Sesame Credit clearly stated that it “does not collect user chat, Weibo, WeChat, community-related speech data, and does not purchase any form of black data.” Hu Tao, general manager of Sesame Credit, said, “Any abuse of user personal information will cause serious damage to users, institutions, and society.”

Fu Weigang, executive director of the Shanghai Institute of Finance and Law, believes that a feasible measure is to change the burden of proof in civil litigation, changing the current "whoever asserts must provide evidence" to "reversal of the burden of proof." As long as the plaintiff provides the fact that the defendant contacted him, he can file a civil lawsuit on the grounds that the defendant illegally obtained his identity information.