In recent years, with the implementation of a series of laws and regulations such as the Data Security Law and the Personal Information Protection Law, China's information security industry has made significant progress. However, some institutions that have access to large amounts of user data have insufficient measures in network security protection, resulting in user data being stolen by criminals. Criminals categorize and label the obtained user data, and then sell it to the public in forms such as "marriage and relationship reports" and "risk reports", disrupting the network security ecosystem. Compared to the past method of "packaging and selling" sensitive user data, the current online black market is guided by the actual needs of buyers and sells personal information in the form of "generated reports". Why is our personal privacy always easily obtained by criminals? The reporter launched an investigation on this matter. The network security situation is still not optimistic. "Provide the ID number number to check the designated person's credit information and registered residence registration information." "The marital status can be checked, and USDT (a virtual currency), WeChat and Alipay can be paid." Just joined a chat group on a certain overseas communication software, and some group members couldn't wait to send private messages to attract customers. In the preview version of the "personal credit report" sent by a seller, in addition to information such as name, gender, and phone number, each person's job position, provident fund and social security payment records, loan limits, and other highly private content are also meticulously recorded. These reports can be used for precision telemarketing, "the seller said. According to data from Qianxin, there were a total of 112 incidents of personal information leakage risk in domestic government and enterprise institutions in 2024, involving 26.69 billion pieces of personal information data. Although this data decreased by 54.5% compared to 2023, the massive data leakage problem reflects that the network security situation of government and enterprise institutions is still not optimistic. The frequent leakage of personal information data not only seriously infringes on citizens' privacy and poses risks of online fraud, but may also pose a threat to national security. The aggregation, correlation, and reorganization of a large amount of personal information data can form accurate character portraits and depict the relationship network between people. This makes it easier for criminals to target groups and find breakthroughs, "said Pei Zhiyong, a security expert at Qianxin. In addition, some black and grey industries also utilize technologies such as big data and artificial intelligence to capture and match individuals' private images and videos. Some criminals claim that "just one photo can check if your partner is having an affair" in order to seek illegal benefits. Using web crawling technology to obtain public videos and image materials from websites, and then comparing them with facial recognition, actually violates the privacy rights of the parties involved, "said Zuo Xiaodong, a professor at the School of Cyberspace Security at the University of Science and Technology of China. Criminals may use leaked personal information and portraits for malicious matching, and the so-called" marriage and love reports "formed from this also touch the legal red line. Criminals using "data interfaces" and other channels to steal data in the process of implementing the main responsibility of network security, the common practice of "dragging libraries" has gradually decreased. Instead, they are using data interfaces and other channels to carry out "ant moving" style personal information theft. Name, ID number, mobile phone number, common address... In a security evaluation conducted by the Network Security Center of China Electronics Technology Standardization Research Institute, testers found that 60000 order data may be leaked from the data interface of a platform. The so-called data interface refers to the interface between the input and output of data when institutions transmit and share data, which is the "gateway" for data entry and exit. If we keep an eye on this door, all the data that comes and goes can be accessed, "He Yanzhe, deputy director of the Network Security Center Evaluation Laboratory at the China Electronics Technology Standardization Research Institute, told reporters. Some institutions lack security measures such as identity authentication and access control when setting up data interfaces, which allows hackers to" hijack "interfaces and obtain real-time data at any time. In the data interfaces randomly tested by He Yanzhe and his technical team in the past, there were many security issues. Compared to 'aged data', real-time data updates obtained through data interfaces will also be sold at higher prices on black and gray products, "said He Yanzhe. On a certain illegal forum website, someone has set up a dedicated group to share various data interfaces. Through its shared data interface, criminals can obtain sensitive data such as social security information, maternity information, and car insurance purchase information of designated individuals. Various institutions lack network security thinking when building digital platforms, and some sensitive data lacks high-level protection. Illegal operations such as stealing data through data interfaces do not require a high technical threshold. Some platforms have data interfaces with security issues that are exposed for a long time, and hackers who master some basic attack methods can directly obtain the latest user data of the platform through insecure data interfaces. "He Yanzhe said that it is not difficult to" protect "the data interfaces, but due to the lack of security risk monitoring of the data interfaces, institutions in most cases find it difficult to realize that their data interfaces may have been maliciously exploited by network black and gray. In addition, partners and institutional insiders are also important channels for data breaches. In July 2020, an employee of a certain express delivery company illegally lent their work account to criminals for a fee, resulting in the leakage of over 400000 pieces of personal information of citizens. After obtaining user data, various institutions often share it with their partners to obtain the maximum utilization value of the data. Pei Zhiyong said that in the process of data sharing, some partners did not fully comply with network security agreements, which led to user data leakage. At the same time, some online black and grey industries collude with institutional "insiders" to resell user data. "These two methods account for more than half of the data leakage events on the Internet knowledge sharing platform". Some institutions excessively collect user data at the source, resulting in excessive concentration of sensitive data. Lao Dongyan, a well-known personal information protection expert and professor at Tsinghua University Law School in China, believes that some information collection agencies require users or consumers to "grant a package authorization" for various reasons, including "improving service experience", which is the fundamental reason for data leakage. In 2021, the Personal Information Protection Law was officially implemented, which clearly stipulates that "the collection of personal information should be limited to the minimum scope to achieve the processing purpose, and excessive collection of personal information is not allowed". The power to interpret this' minimum scope 'is currently in the hands of institutions that collect data, rather than users or consumers. With the increasing improvement of laws and regulations, China has achieved remarkable results in cracking down on crimes involving citizens' personal information in recent years. A group of criminals who profit from selling citizens' personal information have been severely punished by law. In 2024, the Chengdu police in Sichuan Province cracked 1201 cases of cybercrime, including infringement of citizens' personal information and illegal control of computer information systems, and took 1116 criminal coercive measures in accordance with the law; In 2024, the police in Changzhi, Shanxi Province, went through many places and successfully beat up a criminal gang that violated citizens' personal information and concealed and concealed criminal gains, captured 10 suspect, and detained more than 5 million yuan of funds involved in the case; In the same year, the police in Hefei, Anhui Province, cracked a major case of infringement of citizens' personal information, captured 11 suspect, seized more than 1.2 million yuan of the amount involved in the case, protected more than one million pieces of citizens' personal information... improved the network security protection ability of institutions, and built a data security firewall. Experts such as Pei Zhiyong suggest that government and enterprise institutions should further improve the institutional construction of network security, ensuring that responsibilities are assigned to positions and individuals. After a cybersecurity incident occurs, promptly report to relevant national departments to minimize the losses caused to users and society due to data breaches. Reduce front-end data collection and lower the risk of data leakage from the source. For example, when ordering takeout, if you have a phone number and address to ensure delivery, you should not obtain any other information. According to the requirements of laws and regulations such as the Personal Information Protection Law, data collection should follow the principle of "minimum necessity". Relevant departments can clarify the corresponding data collection scope based on the actual usage scenarios of the data and set standards for "minimum necessity". Strengthen awareness of privacy protection and say 'no' to behaviors such as excessive collection and abuse of data. He Yanzhe suggested that institutions and online platforms should pay more attention to personal information protection from the perspective of users and consumers, and must not sacrifice personal information rights for small gains. Internet users can report to the Internet management department and the public security department in a timely manner for obvious clues of excessive collection of user information and potential violations of citizens' personal information. (New Society)