The rampant leakage and sale of personal data remains a pervasive issue in Vietnam. Sensitive customer information from major corporations has been leaked and openly traded on the dark web, exploited for malicious purposes, yet legal repercussions have been scarce. As Vietnam accelerates its digital transformation, it is imperative to address these privacy violations with stringent measures to safeguard individuals and businesses.
Ms. Quynh, who is a 31-year-old worker from Ben Tre Province, prefers installment plans due to her limited income. Nevertheless, each purchase usually leads her to significant inconvenience. She normally has to provide the personal information of three family members besides herself to bank officers to complete the procedure. After a few days of a successful transaction, these people begin to receive countless calls soliciting insurance, other installment plans, and even personal loans.
Encountering a similar situation is Phuc from Binh Thanh District in HCMC. He recalled that in 2015, he took out a mortgage with a local bank. Despite fully repaying the loan, he has been receiving numerous messages and calls from bank employees and credit institutions offering loans, installment plans, and real estate purchases. They even precisely recite his personal information and home address before making their offers, making him feel like a wanted criminal.
Public outrage over data breaches has been mounting, while companies related to data services often evade responsibility. Personal information, a valuable asset, is a prime target for cybercriminals. Data breaches not only infringe on privacy but also fuel the rampant trade of personal data, spam messages, and increasingly sophisticated scams.
The Ministry of Public Security has repeatedly warned about the risks of revealing personal information online, which creates opportunities for cybercriminals to collect and sell data, leading to fraudulent activities. To protect themselves from scams, individuals must be vigilant and verify the identity and intentions of those requesting personal information. They are also advised to avoid sharing excessive personal data with untrustworthy online services or websites.
Dr Trinh Ngoc Minh, a cybersecurity expert and member of the Southern Branch of the Vietnam Information Security Association (VNISA South), explained that corporate data and customer information are the main targets for cybercriminals.
Attackers employ two primary tactics: exploiting vulnerabilities to penetrate corporate infrastructure and steal data or encrypt systems for ransom, or using social engineering techniques and advanced technology to deceive victims into divulging sensitive information.
“Many simple actions can lead to data leaks, such as participating in social media games or providing information for various purposes in daily life. Given the increasing frequency of cyberattacks targeting corporate data and customer information, individuals should never share OTP codes, passwords, or click on suspicious links or files. Moreover, businesses must be transparent about their commitments to protecting customer data and face legal consequences for violations,” Dr. Minh emphasized.
Lawyer Pham Dai Duong from the HCMC Bar Association suggests that the primary reason for the increasing misuse of personal information for malicious purposes and cunning scams is the public's low awareness of data protection.
In reality, many organizations and businesses intentionally collect customer information for marketing or sharing with partners, even selling it. These actions are illegal and subject to administrative or even criminal penalties. Specifically, organizations or individuals who fail to protect customer personal information during the collection process can be fined from VND30-50 million (US$1,200-1,997), according to Decree 15/2020/ND-CP.
Organizations that misuse personal information in ways that deviate from the agreed-upon purpose or without the consent of the data owner can be fined from VND40-60 million ($1,600-2,400). More seriously, the act of buying, selling, exchanging, gifting, modifying, or publicly disclosing the lawful private information of an organization or individual on a computer network or telecommunications network without the owner's permission can result in fines ranging from VND30-200 million ($1,200-7,988), non-custodial reform for up to 3 years, or imprisonment of up to 3 years, according to the 2015 Penal Code.
