In April and May, the Kaohsiung po-lice department and the Bureau of Investigation cracked the biggest data-theft case ever to have hit Taiwan, involving the leaking of personal information on more than 10 million individuals. This scandal has not only seriously affected public and financial order, but has also shown that Taiwan's data security system needs a thorough overhaul.
At the end of April, the Kaohsiung police discovered that personal data on more than 10 million individuals had been sold by Yu Li International Marketing Corporation to various fraud syndicates. The suspects confessed that the data in their possession had come from FarEasTone Telecommunications Co., Chinatrust Commercial Bank, Macoto Bank, Fubon Bank, Cathay Bank, E. Sun Commercial Bank, and Taishin Bank, and that more than ten criminal gangs had bought the data to send out fraudulent letters and text messages telling people that they had won prizes.
Following a six-month investigation, on May 25 the Kaohsiung field office of the Bureau of Investigation conducted a large-scale search of dozens of Chunghwa Telecom (CHT) offices and credit information agencies throughout Taiwan. The southern field office of the Criminal Investigation Bureau and mobile inspection units of the South Coast Guard Bureau seized large amounts of CHT client data and telephone monitoring tapes, and summoned more than 30 people for questioning.
Given that the chief suspect, Hsiao Jung-hsiang, colluded with crooked cops to steal and sell personal data and that public authorities were implicated, the scandal has sent shock waves throughout Taiwanese society.
According to news reports, Hsiao began his career by founding a credit information office in Kaohsiung. After being prosecuted for malfeasance but found not guilty in 1995, he went into the underground business of collecting personal data. His modus operandi was to buy off policemen and coastguard officers and get them to supply him with data from the cases they were working on. Hsiao's crime syndicate kept a price list of data their clients might be interested in, including addresses (obtained from telephone or license plate records), personal records, household certificates, previous criminal records, country entry and exit information, personal bank accounts, shareholder registers, real estate information, and bank account numbers.
These big cases have confirmed what Taiwanese people had long suspected and feared. Crime syndicates are able commit fraud thanks to dishonest staff in banks, telecom companies, and household administration and tax authorities. Now that even police officers and coastguard officers have been found to have been involved, it's definitely a case of "the good spirits within colluding with the evil spirits without," as the Chinese saying goes.
In mid-June, Taipei City Councilor Liu Yao-jen declared at a press conference that he had bought on the Internet personal information on 1,200 primary and middle school students at NT$1 a pop from a "name list seller." All of this data, most of which was on students in the final years of primary school in Sungshan and Hsinyi districts, had been burned onto a CD-ROM, and included the names of the students and their family members, their grade, telephone number, and address. When the students and their families were subsequently contacted by telephone, all the data turned out to be correct.
On previous occasions, news reports that personal data had been leaked and sold to fraudsters did not make most people feel personally affected. But in this instance, the Kaohsiung police authorities discovered that companies selling personal data had obtained information on 10 million individuals. This is equivalent to data on Taiwan's entire workforce having come under their control. They had access to the personal secrets, including property information, of virtually the entire population of Taiwan. As a result, everyone now feels insecure.
At the beginning of June, Premier Yu Shyi-kun authorized an initial list of senior officials to be punished over the leaking of personal data.
The Executive Yuan's Consumer Protection Commission also announced that monetary compensation would be paid to people whose confidential information was leaked by telecommunication companies. Even people who have suffered no loss from having had their information leaked can demand compensation from the telecom companies. The amounts, ranging between NT$20,000 and NT$100,000, are based on those stipulated by the Law for the Protection of Computer-Managed Personal Information (LPCMPI).
Minister of Justice Chen Ding-nan has declared that individuals who have suffered losses because government employees leaked their personal information are entitled to seek compensation from the government. According to existing regulations, the maximum aggregate compensation for a single personal information leak case is only NT$20 million. The Ministry of Justice is currently rewriting the law to raise this amount to NT$50 million. Department stores and major retailers will also fall under the LPCMPI. The Ministry of Justice is also proposing to the Executive Yuan that a national personal data protection agency be established to prevent future leaks of personal data and to safeguard social stability.
The LPCMPI, which was enacted in 1995, does not define a government agency responsible for administering it and merely gives the Ministry of Justice a coordinating role. Therefore, amending the law to define which government agency is responsible for data protection, expanding the scope of the law's application, and imposing stiffer penalties against those who leak or steal personal data are matters of extreme urgency. The government ought to begin the task of establishing a brand new protection net to confront this crisis by strengthening the supervision of industry and beefing up regulations.
The China Times points out that financial institutions have never regarded their customers' data as important trade secrets to be protected by a variety of measures. The banks' confidentiality protection mechanisms currently focus on preventing illegal loans under a false name, faulty financial statements resulting in bad debt, and embezzlement by bank employees. Confidentiality protection measures have yet to be employed to protect customer data. The Ministry of Finance should rigorously investigate and hold banks accountable for administrative and criminal liability in this area. Next time a financial institution is found to have leaked customers' confidential information, the paper suggests, it should be penalized by being barred or restricted from opening new branches or starting new lines of business. Likewise, the Ministry of Transportation and Communications ought to compel telecom operators to take concrete measures to protect the confidentiality of their customers' basic data.
In the fast-changing world of technology, data is transferred or copied in an instant. It's not enough for the government to insist again and again on the importance of preventing the leaking of information. Ordinary people must also learn to set up a second line of defense.
Tang Yaw-chung, professor in the Department of Computer Science and Information Engineering, National Taiwan University, says that modern technology makes it very easy to copy sound and image data. The more personal data criminals are able to lay their hands on, the harder it is for ordinary people to differentiate between the genuine and the bogus, and the easier it is for them to be taken in. Tang advises people to be constantly on their guard psychologically, to treat what they are told in electronic format with a healthy dose of suspicion and, whenever possible, to keep their personal data to themselves and not give strangers access to it.
Tang believes that over the long term, the government will have to do two things: first, it must stop collecting information on citizens in a cavalier manner; and second, the personal data that is collected must be used for clearly defined purposes and must not be transferred to other agencies or used for other purposes.
Some people warn that by spreading personal data far and near, we have opened a Pandora's Box to all manner of scams and frauds. The only way to put a stop to such criminal activity is to establish a code of conduct for professionals who handle personal data and to intercept and stop leaks right at the top.