In the era of big data, citizens’ personal information and protection issues have attracted more and more widespread attention from society. On August 23, the Beijing High Court held a press briefing to release the trial status of criminal cases involving infringement of citizens’ personal information. Since 2018, courts at all levels in this city have concluded a total of 219 criminal cases of infringement of citizens’ personal information, and sentenced 294 criminals . Judging from the case situation, the infringed citizen information includes highly sensitive information such as whereabouts and property information, and leakage of information by insiders is the main source of crimes that infringe on citizens' personal information.
Sun Lingling, a member of the Party Leadership Group and Vice President of the Beijing High Court, said that among all closed cases in Beijing courts, 24.6% of the cases involved highly sensitive information, including whereabouts, communication content, credit information and property information; 9.9% of the cases involved sensitive information. Information , including accommodation information, communication records, health and physiological information, transaction information and other personal information of citizens that may affect personal and property safety. Citizens’ mobile phone numbers and ID number account for the largest proportion of various information types. "In recent years, there have been vicious incidents across the country caused by the leakage of highly sensitive information. Criminal cases involving the infringement of such personal information should be focused on to prevent secondary risks," Sun Lingling said.
Related cases involve infringement of citizens’ personal information on a large scale, often involving batches of information or even massive amounts of information . Among the 179 first-instance cases involving the crime of infringing on citizens' personal information, 162 used the number of pieces of information as the main basis for conviction and sentencing. More than half of the cases had more than 50,000 pieces of information, and about a quarter of the cases had more than 500,000 pieces of information . In some cases, millions, tens of millions, or even over 100 million pieces of information have been seized .
The methods of crime are also becoming more subtle. It is a common method for criminals to buy, sell or exchange personal information through social software groups, website forums and other platforms. In recent years, "dark web space" has gradually become an active place for criminal transactions, and transaction payment methods have evolved from real currency to virtual currencies such as "Bitcoin". In addition to the increasingly hidden transaction environment and payment methods, the technical means of secret theft are also becoming increasingly mature. For example, "crawler" software has become one of the commonly used software when collecting large amounts of information.
Judging from the source and flow of personal information, the crime of infringing on citizens' personal information covers various industries such as finance, education, transportation, communications, logistics, job hunting, and law. Excluding intermediate links such as buying and selling and exchange, 39.6% of the information involved was used for illegal or even criminal activities, such as illegal withdrawal of provident funds or credit card applications, violent debt collection, telecommunications and network fraud, theft of deposits, extortion, kidnapping, intentional injury, etc.
Judging from the situation of the defendants, more than half of the defendants in the cases worked for companies, institutions, or were individual business operators. Among them, company employees , including middle and senior management and legal representatives, accounted for the largest proportion, accounting for 50.3%. Many of the defendants have higher academic qualifications and hold higher positions in Internet companies, financial investment companies, real estate agencies, etc.
"Looking at the entire criminal chain, leaking information by insiders is the main source of crimes that infringe on citizens' personal information . " Sun Lingling said that "insiders" in the industry have repeatedly committed crimes, and the team-based crime model has become more mature. Some "internal and external collusion" crimes can even be organized A full chain of criminal gangs starting from obtaining, trading, realizing, and illegally using personal information. In response to the above phenomenon, the city's courts have severely punished "insiders" in the industry who leak citizens' personal information in accordance with the law, focusing on cases that infringe on individuals' high-sensitivity and sensitive information, personal information of special groups such as minors, and bulk personal information. For example, the Chaoyang Court focused on key industries to explore the application of prohibition clauses to increase the crime costs of industry workers and give equal emphasis to punishment and warning education.
Telecom network fraud is a typical downstream crime that infringes on citizens’ personal information. In the past three years, judicial authorities have used special operations such as the "Card Break" operation and crackdown on "pension fraud" to strengthen in-depth crackdowns on related crimes. The two major criminal groups headed by Zeng and Li concluded a case of infringement of citizens' personal information and fraud. The upstream illegally obtained and sold candidates' mobile phone numbers and social accounts, and the downstream sent mass examination-assisting fraud information to candidates through telecommunications networks. The criminal gangs that committed fraud were all eliminated, which promptly prevented more candidates from suffering property losses and effectively maintained the normal admissions and examination environment.
The Beijing High Court released three typical cases of infringement of citizens’ personal information
On August 23, the Beijing High Court released to the public three typical cases of infringement of citizens’ personal information. The types of information involved in the three cases are mostly highly sensitive information and are closely related to other illegal and criminal activities, reflecting the dangers of employees in related industries leaking personal information. The Beijing High Court stated that it will increase punishment for crimes that infringe on citizens' personal information. Those who violate national regulations and illegally obtain, sell or provide citizens' personal information, which constitutes a crime, will be severely punished in accordance with the law.
Project manager of a large international trust company, illegally logged into the bank's personal credit reporting system to save other people's credit reporting reports
Defendant Shen was a project manager of a large international trust company before the incident. Taking advantage of his position, he obtained the username and password of a bank's personal credit reporting system through "credential stuffing" and other methods, and communicated with the bank through his affiliated international trust company. He illegally logged into the bank's personal credit reporting system several times through a terminal connected to a dedicated line, and queried, downloaded and saved a total of 100 credit reporting reports of others.
After investigation, it was found that Shen had used the same crime method before, checking, downloading and saving more than 1,000 credit reports of others. The Xicheng District Court sentenced Shen to one year in prison and a fine of 4,000 yuan for infringing on citizens' personal information.
The judge said that in contemporary society, personal credit information, as a citizen's "economic ID card", plays a very important role in citizens' personal lives, affecting all aspects of people's travel, loans, and employment. Therefore, in the "Interpretations on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringement of Citizens' Personal Information" issued by the "Two Highs and Highs" in 2017, credit information was classified as highly sensitive information, and 50 pieces of such information were illegally obtained, sold or provided . Incriminable .
Colluded internally and externally with operators’ business hall staff to apply for mobile phone numbers in batches for use in e-mail fraud
The defendant Hu applied to a large communications operator in Beijing to apply for mobile phone numbers in batches in the name of a technology company. Hu hired others as managers through the defendant Zhang, and used the identity documents of others provided by Zhang to handle the above-mentioned business for a fee. The defendants Ren and Lu were staff members of the operator's business hall. They knew that the mobile phone number handled by Hu's company was suspected of fraud, but they still handled it. After investigation, it was found that the mobile phone number registered was later used for telecommunications network fraud, with the total amount of fraud totaling approximately 1.7 million yuan .
The Daxing District Court decided to sentence Hu to 4 years in prison and fine him 120,000 yuan for two crimes: infringement of citizens' personal information and crime of assisting information network criminal activities. Zhang was sentenced to 2 years in prison and fined 20,000 yuan for the crime of infringing on citizens' personal information; Ren and Lu were sentenced to 1 year in prison and fined 10,000 yuan for assisting information network criminal activities.
The judge said that telecommunications fraud is the most common downstream crime that infringes on citizens’ personal information and has serious social harm. The defendants in this case jointly carried out multiple internal and external collusion, upstream and downstream cooperation, infringement of citizens' personal information and assistance in telecommunications network fraud, causing a large amount of property losses to the victims, and were of a vile nature.
He was jailed for selling celebrity flight information and infringing on his whereabouts
The defendant Qin worked as a domestic customer service representative in an airline customer service center through labor dispatch. The defendant Li once worked for a technology company and was responsible for the system business of an international airline. After leaving his job, he inquired about flight information through his former colleagues. From 2020 to 2021, Qin, together with Li, directly or indirectly took advantage of the convenience of checking flight information, violated relevant national regulations, illegally obtained flight track information of passengers, including celebrities, and other citizens’ personal information, and then sold it to others. . Their actions resulted in the infringement of personal information such as the whereabouts and identity documents of many unspecified citizens, causing damage to social and public interests.
The Chaoyang District Court sentenced Qin and Li to three years' imprisonment each for the crime of infringing on citizens' personal information, and fined them RMB 40,000 each. It continued to recover their illegal gains, and banned Qin and Li for three years from the date of completion of their punishment. Engaged in aviation customer service representative occupation during the year. At the same time, Qin and Li were ordered to pay compensation for public interest damages, confiscate and turn it over to the state treasury, and publicly apologize in the national news media.
The judge said that this case is a typical civil public interest litigation incidental to criminal infringement of citizens’ personal information. The personal information of citizens sold by the defendants Qin and Li included manifest information, historical flight records, citizen ID numbers, passport numbers, etc. The manifest information included the pinyin name of the passenger, flight number, cabin number, flight date, Booking date and other information. For buyers, the above information can individually or in combination reflect the whereabouts of specific natural persons such as celebrities, fans and other ordinary passengers at specific points in time, and is citizens' personal information protected by criminal law.
How can companies prevent "insiders" and protect personal information?
Sensitive data access control
Enterprises can combine business, data protection, security and compliance requirements and other dimensions to incorporate enterprise sensitive data and consumer personal information into logical data collections, based on sensitive data type, control action, data access type, valid time, subject location, execution Implement data access control based on path and other conditions, and only return necessary sensitive data based on the principles of "business necessity, minimum permissions, and separation of responsibilities". For example, privileged accounts are prohibited from accessing business data, business system accounts have unauthorized access, and institutional personnel tamper with consumer personal information in violation of regulations.
Dynamic desensitization of sensitive data
Dynamic desensitization can perform desensitization processing in real time while accessing sensitive data. Customized desensitization templates can be selected to flexibly combine desensitization strategies according to specific business needs, which can not only meet the compliance requirements of data delivery, but also ensure safe and efficient data use. For example, application front-end desensitization display, automatic desensitization of unauthorized query data by organizational personnel, automatic desensitization of sensitive data on demand for BI data analysis and data reporting, etc. Different desensitization strategies can be configured according to the business application user name and application access path, which is flexible Meet business needs and regulatory requirements. At the same time, desensitization policies can be configured based on sensitive data types to reduce the number of desensitization policies by orders of magnitude, greatly improving operation and maintenance efficiency.
Reduce permission exposure
For dynamically circulating data, it is necessary to minimize data exposure based on the principle of minimization. For example, in database operation and maintenance scenarios, virtual account passwords are used to replace the real account passwords of the data source to reduce the risk of leakage of data source passwords (weak database passwords). At the same time, it can implement fine-grained real-time control of people (different roles), as well as supervision and timely discovery of high-risk privileged accounts. For example, the control granularity is strictly limited to the query permissions of specific personnel (real data operators), and data access traces are left to the real data operators.
Authentication agents refine access control
Data security managers can customize data sets and users/user groups based on business conditions, configure and execute access control policies, and then allow, deny, or alert specific users to access specific data sets. Configure access control policies based on sensitive data types, security levels, and user tags, and have the ability to block high-risk access.
Faced with heavy self-examination and rectification requirements from the regulatory level and difficulties in internal data security management, Origin Security provides integrated data security protection strategies and integrated log analysis security operations , which is suitable for enterprises in database development and operation, data analysis, and external procurement. Data security issues faced in different scenarios such as third-party technology services and bank back-end management services meet the needs of enterprises such as new and old applications without modification, fine-grained row permission control, front-end display desensitization, and traceability of data leakage events, truly realizing integrated data assets. Security solutions with security policy management.
[Reprint source: Beijing Daily WeChat official account]