14 million of users ' information is stolen and sold, and it is "not news" to the practitioners.
"In the express industry, this kind of thing has been going on for many years and cannot be cured." August 15, Kang expression to the reporter indifferently. Lee previously ran a Regional Express company, and Shentong and other independent courier companies and electrical business sites have cooperation. In his view, it is not surprising that user information has been leaked.
Courier company has the user information including the receipt and delivery of both the name, address, mobile phone number and express items. Kang said that the information is generally divided into two forms exist, one is stored in the courier company's server, the other is the face single (express list).
"Either way, it's easy to leak. "Kang said.
Express Industry Data Chaos
The development of the electric Power Company brings the express industry by leaps and bounds, and also makes the courier companies become one of the most personal real information users after the Internet giant. At present, Shun Fung has begun to use large data layout O2O business, that is, through an area of the order structure analysis, targeted shop (hey guest) and shelves of goods.
The concept of large data is in the ascendant, the user's name, mobile phone number, address, etc. become the most basic component of large data. With the development of electronic commerce and internet finance, enterprises can collect these users ' information more quickly and comprehensively, and store and analyze the data so as to realize commercial purpose. But data security is often ignored by some enterprises.
Kang said that large data is a double-edged sword, with good can improve efficiency, be used by outlaws, the consequences are unimaginable, and in the current domestic express industry, data security is not enough attention.
According to Kang Introduction, in addition to Shentong, Qualcomm, Yuantong, Huitong, Rhyme Tatsu (hereinafter referred to as "four-through-one") and Fung, the region also scattered tens of thousands of large and small express companies, and management is not standardized, and user information is in this flawed network "naked".
Kang once to more than 1 million yuan buyout shentong a region of franchise, responsible for the region's Shentong billing and billing business. When the order is shipped, the Shentong user information is clearly synchronized to the Kang Company's computer, and this part of the data can be stored for a long time. On the other hand, the return of order distribution (display user information) is also concentrated in the joining company. He said that the cooperation with the website of the electric dealer is also similar to the model, the electricity dealer's data and express Company share.
Kang said that a number of large courier companies have regulations, the face of a single time to focus on the destruction of the computer data will be regularly cleaned, but in practice, these provisions are difficult to bind. For example, these data exist in a computer hard drive, a courier can be transferred at any time, face single processing is a problem, tens of thousands of copies of paper each year, storage is also a problem, and some sold the waste, and some directly to the "customer."
Some companies will also require the installation of firewalls, even the security system on the line, but for the express company, this is a great cost. Because the current industry average profit rate is only about 10%, each express company is only symbolic to buy some cheap firewall software, as for internet companies commonly used encryption technology, most of the courier companies will not consider.
Qihoo 360 website security Director Zhao in the 21st century Economic report interview also said that the express industry data security protection level is generally poor, reflected in the site more loopholes, repair is not timely, operation and maintenance personnel security awareness weak (use weak password) and so on.
The main reason for this problem is that the vast majority of express companies do not have professional security operations team, or even the site do not have the basic security protection, and some express company website simply entrusted to the outsourcing company operations.
Zhao For example, this makes the Web site vulnerabilities long-term repair, such as security companies repeatedly warning STRUTS2 code execution and other high-risk vulnerabilities, there are still express company website did not repair. In addition, the weak password problem in the Express industry is also very prominent in the recent exposure of the express industry data leakage incident, the criminal suspect is to use a weak password into the courier company Web server management backstage, thereby stealing the user database.
Backward security technology configuration, as well as irregular management system, making the express industry in recent years the user information leakage of the hardest hit, online is very easy to be hacked. This March, a university in Hangzhou
Born only in the network security test, that is, breached a courier company's website.
Kang said that the data buyers are generally some shop owners, but also some of the big retail enterprises, they get this part of the data mainly for marketing. For buyers, two or three cents a single face price can be accepted, courier company also by the way "waste" use, increase revenue.
The worry of "big data"
Zhao to reporters, according to the 360 Web site security testing platform statistics, in addition to the express industry, domestic health, education and training, tourism hotels, Living real estate, recruitment and other sectors of the network security problems are particularly serious, these industry sites have loopholes and the proportion of implanted back door is relatively high, It is also the target of the hacker's key attack.
Because the above industry's user data involves a lot of personal privacy information, such as health status, personal resume, contact information, travel records, and so on, once the hacker attack, the harm of data leakage is no less than express data leakage incident, and the previous exposure of 20 million hotel opening records have sounded the alarm. Not so long ago, a city's health-care website was found to be a high-risk loophole in a white hat, with 1.5 million of maternal information running naked on the internet, which could be hijacked by hackers at any time.
One side is the continuous concentration of data, the application of large data gradually landing, while the more and more data disclosure cases. Hou Yudong, a financial technology CTO, said in an interview with the 21st century economic reporter that the main issues were prevention from both technical and management systems.
Hou Yudong said that the current data can be simply divided into financial data, privacy data and business data, general financial data security issues are more concerned about, such as banks and third-party payment companies in the past two years in the technology and management system is relatively mature, and privacy data because not directly related to the security of the user's assets, so less attention Commercial data for the B-end, the industry's more concerned about the wife.
To the financial science and technology high LongFei said that for privacy data, there are no typical cases in China. Users log on to the Internet through a variety of accounts, there are many links will leave traces. When you first log in through a browser, if the cache is not cleared in time, the hacker can easily access the data, and then data transmission, if not encrypted, the information will also be intercepted, the last step of storage, many enterprises are plaintext (unencrypted) storage, as long as the hacker breached, easy access to data. On the other hand, even if you encrypt the store, the hacker can get the data once it gets the information of the right person.
Gao Longfei said that the current domestic enterprises are still the traditional security management methods, technology through the firewall, encryption and other technical prevention, at the same time to set the pyramid structure of authority, through the management system to prevent, and in the network environment and physical environment on the large data business isolation.
Convenience and security the contradictions will continue. However, in some information, there are already provisions to prohibit the Web site record user information. Gao Longfei For example, UnionPay for credit card network payment has regulations, the website prohibits recording user's credit card password, validity period and CVV code (credit card authentication code). But whether this ban on records can be extended to the whole industry is hard to say, such as in the field of electricity, prohibit the platform to record the user's consumption trajectory, will inevitably cause the platform side rebound.
(Kang in the text is a pseudonym)
(Responsible editor: Lvguang)