220,000 information leaked from Beijingers
Nearly 30,000 pieces of young women's data including name, date of birth, ID number, address, mobile phone number, etc. are likely to cause fraud and reputation infringement
Evening News of the Legal System (Reporter Mao Zhanyu Intern Xie Boqi) Leaked personal residence information, including name, gender, date of birth, ID number, address, mobile phone number, work unit and other information, someone made the name "2000W house opening data" The files are transmitted to the Internet, and Internet users download them almost 40,000 times a day.
"Legal Evening News" reporters found that among the 20 million hotel personal accommodation information, there were 220,754 information from Beijingers.
The leak occurred because many hotels used the hotel Wi-Fi management and authentication system developed by Zhejiang Huida Station Company, and the company's encryption level was low, resulting in an information leak.
The network company involved serves 4,500 hotels
In the "2000W Opening Data" document, the name of the hotel stayed was not indicated. However, the official website of Zhejiang Huida Station Network Co., Ltd. shows that the company's business covers more than 110 cities in 31 provinces, municipalities and autonomous regions except Tibet, and provides various services for more than 4,500 star-rated and economic chain hotels.
At present, the "Partners" section of the official website of Huida Station Company cannot be clicked into. However, the text under the "Company Introduction" column indicates that the company is the only designated supplier of Rujia Digital Room.
Wuyun.com, the domestic security breach monitoring platform that first disclosed the matter, has published a screenshot with a list of some economic chain hotels in cooperation with Zhejiang Huida Station Company, including Home Inn, Hanting, Green Tree, Pudding, Jinjiangzhi 20 stars.
In the morning, Jinjiang Inn, Pudding and Green Tree Inn all told reporters that their Wi-Fi certification and management systems were not established in cooperation with Zhejiang Huida Station Network Co., Ltd.
GreenTree Inn also stated that its Wi-Fi certification and management system was developed by itself. It had previously cooperated with Huida Station Company outside the network. Although Wuyun.com disclosed screenshots of the list of partner hotels, it only explained that Dayi Station Co., Ltd. has listed all kinds of hotels with which it has cooperated.
The reporter also contacted Home Inn in the morning, but the company's switchboard number provided by the customer service staff, the reporter repeatedly dialed and no one answered.
There are 220754 pieces of information on living in Beijing
Today, "2000W house opening data" can still be downloaded from the Internet normally. The reporter conducted a statistical analysis after downloading the data file.
According to the statistics of this newspaper, among the hotel information, there are 220754 pieces of information in Beijing.
The reporter further found that among the hotel occupancy information involving Beijingers, more than 60% involved male occupants and nearly 40% involved female occupants.
Between the ages of 30 and 60, men in Beijing are 1.9 times as many as women. But in the age group of 18 to 30, Beijing men are only 1.2 times as many as women.
Net exposure opening information attracted considerable attention from netizens
According to people familiar with the situation, "2000W house opening data" appeared on the Internet and was downloaded frantically by people nearly 40,000 times a day. Good people have re-edited it into multiple versions, such as "18-30-year-old mm house opening data" and so on.
The "Data for Opening of Houses of 18-30mm mm" includes 29,063 pieces of check-in information for female hotels between the ages of 18 and 30 in Beijing.
There are also many websites on the Internet for checking housing information for others, one of which is a website with the website "www.zhaokaifang.com" which is "popular". The reporter selected "Zhang Yan", "Li Gang" and other common names, and all of them could find about a thousand people. According to media reports, these search sites have set up servers abroad in order to prevent them from being shut down, leaving police helpless.
Full exposure of personal information vulnerable to phone scams
Shang Jiangang, director of the Information Network and High-tech Professional Committee of the Shanghai Lawyers Association, told the reporter of the "Legal Evening News" that "2000W house opening data" will always bring various risks to those whose information is leaked.
These data are generally used for various annoying phone marketing, and in serious cases, they are used for phone fraud. In a phone fraud case, the more comprehensive the criminal's personal information is, the easier it is for the victim to be fooled.
At the same time, it is not excluded that those with bad intentions will publish other people's information on forums, Weibo, etc., infringe others 'privacy or spread rumors to infringe others' reputation.
Data service provider acknowledges information security breach
The official website of Zhejiang Huida Station Network Co., Ltd. shows that the company's mission is to "improve the hotel's network ecology" and its vision is "to build the most suitable network platform for Chinese business travelers, and to become the most professional IT service provider". IT complexity and IT costs. "
After the incident, Zhejiang Huida Post Station Company issued a notice admitting that the wireless system has a low level of information security encryption and there are hidden dangers of information leakage. The technical team has upgraded the system after the incident.
The company apologized to hotel customers for disclosing personal information and said the system security issues were not relevant to all hotel customers.
From the "National Information Security Vulnerability Sharing Platform" established by the National Computer Network Emergency Technology Coordination Center in conjunction with Internet companies, the reporter saw the "Announcement on the Disposition of the Vulnerability Risk of the Wireless Authentication Data Channel Server of Zhejiang Huida Station Network Co., Ltd. .
According to this announcement, Zhejiang Huida Post Station Co., Ltd. does have a risk of wireless authentication data channel server vulnerabilities, but has already repaired it. The "National Information Security Vulnerability Sharing Platform" will continue to follow up this matter and do a good job of emergency response.
Incident detected due to imperfect hotel Wi-Fi system
According to Wuyun.com staff, the hotel in question used the hotel Wi-Fi management and authentication system developed by Zhejiang Huida Station Network Co., Ltd., and the problem arose.
A professional who has long been engaged in information security told reporters that at present, almost all hotels have Wi-Fi coverage. To ensure real-name Internet access, Wi-Fi at the hotel requires identity verification. This information must be aggregated to the network companies that provide Wi-Fi services.
The root cause of the vulnerability lies in the imperfect management mechanism of Huida Post Station Company. Its system requires hotels to perform web authentication when submitting check-in records, but not on the hotel server, but through Zhejiang Huida Post Station's own server. Stored customer information.
Zhejiang Huida Station Company stores the information of hotel customers on the server in real time, and allows related objects or demanders to download and read. Although password authentication is provided, the authentication user name and password used in the synchronous transmission of customer information are transmitted in clear text, that is, the transmitted data is not encrypted during the password verification process, which can easily lead to hackers intercepting the plain text password, and then Use this password to download hotel user data.
Wireless network erection invests in third party services
Mr. Bai, a manager of a network security company in Beijing, said that Wi-Fi coverage in hotels is a regular service that has emerged with the development of the hotel industry.
The erection of the wireless network requires a base station, but the input cost is too large and special personnel are needed for maintenance. In this case, many hotels choose to cooperate with network service providers to provide wireless network services and servers.
Manager Bai believes that directly letting a third-party company to manage hotel customer information itself increases the possibility of leaks. From the perspective of information security, if the hotel chooses the method of third-party services, it should raise the entry barrier for cooperation.
The hotel involved was accused of lacking data protection measures
In Manager Bai's opinion, the leak of 20 million room opening information shows that the data management of China's hotel industry is not yet mature.
Professionals engaged in information security work told reporters that many hotels are now busy racing, but neglected the management of personal information of customers.
When he gave information security training to enterprises, he clearly felt that the person in charge of the company often only paid attention to the security of the company's own financial information, and was very disdainful in maintaining other aspects of information security.
The source said that the inadequate removal of security hazards in many hotels and the lack of management measures in the protection of personal information and data were the keys to information security incidents.
For hotels that use the Wi-Fi management and authentication system of Zhejiang Huida Station Company, customers need to log in to the server of Zhejiang Huida Station Company for web authentication when accessing Wi-Fi.
The source said that customer information could be easily stolen due to flawed system design.
The person said that if the hotel in question has strict management authority measures on the uploaded customer information, the incident can be avoided.
"For example, in the banking industry, an 18-character permission operation password is managed by three people in sections, and each person only knows the 6 characters under his control. When an operating system is needed, these three people first enter their own passwords separately In some cases, after the verification is successful, it can be operated by someone who does not know the password characters. "He said that although this is tedious, it is enough to ensure the security of the information.
Industry claims leaks may affect hotel industry credibility
Sun Tian (pseudonym), the head of the customer service department of a four-star hotel in Beijing, told a reporter at the "Legal Evening News" that even if hotel guests do not use Wi-Fi, they must register detailed customer information.
Article 6 of the "Administrative Measures for the Administration of Hotel Public Order" stipulates that hotel accommodation must be registered to receive passengers. In the past, the registration method was handwritten registration by front desk personnel, but now it is registered through computer entry, and the server of the hotel will store this information. After registration, the guest information will be quickly passed to the local police station to facilitate the work of public security organs.
As an "old man" who has worked in the hotel industry for many years, he is deeply concerned about the incident. He believes that the leakage of information on 20 million hotel guests will affect the credibility of the entire hotel industry.
Sun Tian believes that hotels should attach importance to the protection of personal information of hotel guests, and hotels should undertake personal information management, invest financial resources and improve the management system.
Text / Reporter Mao Zhanyu Intern Xie Boqi