In 2017 China introduced the Cybersecurity Law. It was meant to be a comprehensive data security law that would provide citizens with protection from unauthorized use and distribution of their personal information. A year later, abuse of personal information and the selling of customer data that may not have been authorized remains widespread. The collection and sale of this information is a massive business, and the temptation to acquire it unethically or even illegally is always present due to the ease with which it can be done.
A recent investigation by Reuters revealed that information such as banking records, internet browsing history, vehicle registration and mobile phone usage is widely available from private data brokers. These third-party companies are obtaining some of this data from corrupt employees at banks, phone and internet companies, and in some cases even from the court system. Some of it is obtained through theft and hacking.
This illicit customer data is sold in bulk to these various data brokerages, who use it to compile massive databases profiling the entire population of the country. Just about anyone can then pay for access; marketing companies are frequent customers, paying for tailored lists of specific demographics.
Selling of customer data is often facilitated through the “dark web,” encrypted peer-to-peer networks that are notorious for harboring criminal activity. One recent high-profile example was the theft of data on 130 million clients of Huazhu Hotels Group, the world’s fourth-largest hotel company. The stolen data contained detailed payment and contact information and was sold for eight Bitcoin, or about $56,000 USD.
Though data privacy and security is a global concern, issues surrounding companies selling customer data have been acute in China as of late. Some observers believe that this is due to a culture of outdated practices and inadequate budgeting for security among companies in the country. According to Terry Ray, CTO of Imperva, “Even today, I would estimate that Chinese companies are five to ten years behind Europe and United States in detective and protective controls for data. That’s not say there are no success stories of Chinese companies modeling their data security practices after more modern foreign entities, but that is the exception rather the norm.”
The business of selling customer data
Ray breaks the selling of customer data down into two basic markets: short-lived and long-lived. As he sees it, “two big differences between short-lived data and long-lived data are time to value and future value.”
Short-lived data is that which will not stay current for very long, particularly when the customer learns that there has been a breach of some sort. As Ray explains, “Time to value for short-lived data is usually very high, think credit cards and the combination of matching usernames and passwords. These have very high short-term value, but change very quickly, especially post-breach or upon theft of money or an account take-over … Future value for short-lived data expires very quickly, so while we see some data repositories of this type of data, it is usually significantly less valuable as it ages. Consider that you find a bank charge on your credit card, the first thing you do is call the bank, make a claim for fraud against your account and the bank responds by replacing your credit card and number, thereby making the data stale in the breached data. This can happen quickly reducing the future value of the data.”