In January, Wang Cheng, a local resident in Beijing, ordered a portable hard drive from Dangdang.com, a leading Chinese B2C site, but received two deliveries.
Wang signed for the first package and paid 399 yuan ($63.33) as required without hesitation, because the deliveryman had Wang's address, phone number and correct purchase information. Shortly after the deliveryman left, Wang found what he had received was a fake product.
When the courier who had Wang's real purchase arrived half an hour later, Wang realized that he had been scammed. "I'm afraid information about my transactions on Dangdang was hacked," he said.
It was reported last December that the information of Dangdang's 12 million users had been leaked online.
In recent years data security has become a pressing issue in China, especially since last December, when a spate of cases involving the illegal trade of personal information occurred.
On March 15, the China Center for Information Industry Development (CCID), a research institution affiliated with the Ministry of Industry and Information Technology (MIIT), released a report about online personal information security.
According to the report, the security situation regarding personal information at 105 popular Chinese websites was "bad" and on mobile devices it was "terrible," said Gao Chiyang, Executive President of Beijing CCID.
"About 60 percent of Internet users have encountered personal data losses online, according to our survey," said Liu Jiuru, Deputy Director of the MIIT's Electronic Technology Information Research Institute.
Since April 20, the Ministry of Public Security (MPS) launched a crackdown on crimes involving personal information of citizens in 20 provincial-level regions.
By April 27, the police had cut off 44 "major sources" selling citizens' personal information and apprehended 1,936 suspects. According to a statement released by the ministry, 978 of these suspects are currently in police custody for criminal offenses.
"Illegal trading in personal information has been rampant, and it has led to criminal activities such as telecom fraud, blackmail, kidnapping and illegal debt collection," said the statement.
On December 20, 2011, more than 6 million user accounts and passwords on CSDN, the country's biggest online communities for IT programmers, were made public after hacker attacks.
A few days later, 360buy, China's second largest B2C site in business volume, was also reported to have fallen victim to data breaches. Normal Web users could see the registration information of the company's other users, including names, addresses, phone numbers and e-mails, after they logged on.
On December 28, 2011, user information of Alipay.com, a third-party payment service provider that has up to 25 million accounts, was found to have been hacked and exposed.
Other high-profile websites have also been involved in data leaks, including social networking sites such as Tianya, Kaixin001, Renren and Sina Weibo, a Twitter-like service that has 250 million registered users.
As online data leaks increased, the official micro-blog of Aitike, an Internet industry website, disclosed on December 29 last year that a large number of bank customers in China have had their account details leaked, including customers of the Bank of Communication (BOC), China Minsheng Bank (CMB), and the Industrial and Commercial Bank of China (ICBC).
The micro-blog said more than 100 million accounts at the three banks had been affected, including 70 million from the BOC and 35 million from the CMB. A screenshot of some customer names and passwords from the three banks was attached.
In response to these leaks, the MIIT issued a notice on December 28 last year, asking Internet service providers to beef up protection of user information through better internal management and new technologies.
Liu Siyu, Director of the Security Research Team at the Beijing Rising Information Technology Co. Ltd., a leading Internet security company in China, said that many Chinese enterprises are vulnerable to hackers because they failed to take adequate precautions when setting up their websites in the first place. "Most executives in China hesitate to invest in security departments because they do not generate profits for the company," Liu said.
An inside job
Last October, police authorities of Beijing and Guangdong Province looked into several organized crime cases where personal information had been illegally accessed.
On the basis of evidence collected, the police found that some employees of financial institutions, telecommunication companies and other organizations with massive personal databases were selling on customers' personal information.
The China Software Testing Centre (CSTC), an institution affiliated with the MIIT, estimates that 70 to 80 percent of personal information thefts in China are perpetrated by insiders, and that currently many service providers give their employees access to customer information without proper authorization.
The buyers include information intermediaries and unlicensed investigation agencies, which profit by reselling the data to others at a higher price, sometimes even 100 times the original price, said Liao Jinrong, Deputy Director of the MPS's Criminal Investigation Department.
An official surnamed Liu with the Baoding City Industry and Commerce Administration in north China's Hebei Province gathered large amounts of registered companies' information and sold each piece of information, such as an address and telephone number, for 5 yuan ($0.79), the Beijing Times reported on April 26.
For shareholders' data, he asked for 20 yuan ($3.17) for each mobile phone number or identification card number.
Between 2010 and this April, Liu made nearly 60,000 yuan ($9,523.81) from the illegal trade in personal information.
Liu Tao, a researcher with the CSTC, said that the public is mostly concerned about the security of user information obtained by financial and telecom sectors. He compares the information to money put in banks made of paper.
In April, the MIIT, along with 30 other departments, finished drafting guidelines for personal information protection in public and business services and submitted the document to the Standardization Administration for technical approval.
"There is an urgent need for guidelines to protect user information. Such guidelines will offer a reference to enterprises so that they can voluntarily set up systems to prevent user information from being hacked," said Zhu Xuan, Assistant Director of the CSTC.
Zhu added that there are currently few laws and regulations in China protecting personal information, and the establishment of such guidelines will also help to expose enterprises that do not protect their users' information properly.
The new guidelines will clarify basic principles for personal information protection and provide detailed standards on collecting, processing, transferring and deleting this data, said Ouyang Wu, Deputy Director of the MIIT's Department of Information Security Coordination, in an interview with the Beijing Times.
According to the official, the guidelines will be supported by related standards regarding technology safeguards, auditing, management and authentication. "These standards will help determine responsibility before disputes occur and drive enterprises to act in accordance with the guidelines, among those is the 'prevention first' principle," Ouyang said.
The government will also encourage third-party institutions to participate in the investigation of enterprises, he pledged.
According to Ouyang, the national standards for personal information protection are expected to come into being in the first half of this year.
But experts are also worried that the new standards will not have enough influence on the IT industry, as they are not obligatory.
The new guidelines are actually "technical guidance," said Zhu with the CSTC. Technical guidance documents are usually taken as references for industrial operation.
"We should first do market research to gauge public reaction to this," Zhu said. "And we are trying our best to pass a law concerning personal information protection."
Experts have called for new legislation following the mass leaking of personal information in last December.
Zhou Hanhua, a researcher with the Institute of Law of the Chinese Academy of Social Sciences, said China still lacks a comprehensive law to protect personal information.
According to a report provided by Qihoo 360, a leading Internet security service provider in China, in February, more than half of Chinese websites have gaps in their security and as many as 36 percent carry "high-risk vulnerabilities."
"We are in dire need of speeding up information security legislation in order to perfect the web security system and strictly carry out the responsibility system," said Shi Xiaohong, a security expert with Qihoo 360.
The Criminal Law amended in 2009 stipulates that those working in government departments, financial institutions, telecommunications firms, and transport and education departments will face criminal charges if they sell personal information. Under the law, selling or illegally providing personal data to third parties could lead to three years of imprisonment.
However, it fails to clarify whether it applies to other institutions or enterprises that can also easily obtain personal information, such as banks, hospitals and telecom companies.
The country has been considering the law on personal information protection since 2003 but has made slow progress because experts are divided on what information should be protected, according to Ouyang.