In September 2019, the company's capital chain operated by Wang Yong had problems, and it was difficult to recover the arrears at the moment. He filled in his personal information on the mobile phone APP and lent a sum of money through 360 IOUs to solve the urgent need.
360 Debit Note is a consumer credit brand of 360 Financial Group. 360 Finance was listed on NASDAQ in 2018, and its products include 360 Debit Notes, 360 Small and Micro Loans and 360 Installments. The financial report shows that as of December 31, 2019, 360 Financial had 135 million registered users.
Wang Yong had a good experience of the early stage of this online loan. He thinks that the interest rate is not high and the platform service is also good. In the meantime, although the staff of 360 Debit Notes called to urge payment, his repayment was still timely, and no unpleasant things happened to both parties.
However, Wang Yong did not expect that while obtaining fast and convenient services, an invisible "black hand" was quietly reaching out to him. The information he registered on 360 IOUs was publicly sold online.
In the interview and survey, the VC channel of People's Daily Online "purchased" hundreds of data of "360 IOUs" in 2019 in the name of customers. The seller named Li Gang revealed that these data were flowing out of the "360 Debit Note". The seller claimed that he could guarantee the shipment of about 30000 pieces of data every day (including "360 IOUs" data), and the minimum price of each piece was 3 cents.
According to the information shown in the data, the venture capital channel of People's Daily Online randomly dialed nearly 100 users, 17 of whom confirmed that they were 360 debit note users, 33 of whom were empty numbers, and the rest of whom either hung up or denied.
Since then, the venture capital channel of People's Daily Online has "purchased" another 200 "360 IOUs" data in 2020, randomly dialed 110 users, 21 of whom admitted to being 360 IOUs customers, 65 of whom failed to get through (or the prompt number was empty), and 24 of whom hung up or denied. In this regard, Li Gang explained that some people will "maliciously" apply on the platform, but the data can be filtered to ensure that there is no empty number.
In the opinion of many insiders of the online loan company, the presence of an empty number or the owner's shutdown does not necessarily mean that the user data is unqualified. It may be that some people cannot afford to pay back the loan or do not want to pay back the loan, and some people can not resist harassment and make the phone stop or shut down.
Public peddling
Every once in a while, Li Gang advertised his personal information in his circle of friends: "In the process of continuous production, the boss who needs to contact..."
The information he sells includes customer data of 360 Debit Notes. According to the official website of 360 Debit Note, 360 Debit Note is a financial technology platform for consumer loans, mainly relying on 360's data, flow and technical advantages. It is mainly used as an intermediary to connect high-quality loan customers with the loan services of financial institutions.
According to the official website, 360 IOUs can accurately portray customers and analyze their repayment ability and credit ability, thus reducing the financing costs of borrowers and the analysis costs of lenders. Its assessment of consumer credit limit mainly considers credit risk, payment habits, consumption habits and other aspects. The technologies used include cloud computing, machine learning and big data.
"360 debit note data has high purity and good quality, and is very popular with customers." Li Gang recommended that 360 debit note data include real-time, overnight, fortnightly and historical data. The price of real-time data is 2 yuan, overnight data is 50 cents, weekly data is 500 yuan, and historical data is 300 yuan, 10 thousand.
Li Gang has repeatedly guaranteed that the data of these external sales are from the internal staff of 360 Debit Notes. He can guarantee the shipment volume of about 30000 pieces (including 360 debit note data) every day. Most buyers are small and medium-sized customers. Some "customers" buy thousands of pieces at a time, and some buy tens of thousands of pieces a day. He claimed that "customers" had never reported any problems with the 360 IOU data he sold. He said that he only wanted to ship goods and never asked "customers" why they bought data.
He even reminded that the data sales industry is a mixture of good and bad people, with many fraudsters, so don't buy too many at a time. After verifying the authenticity, buy in large quantities.
The seller Li Gang said that some of the data sold came from 360 Debit Notes
Li Gang claimed to have engaged in the loan industry. He recommended many financial platforms to the People's Daily Online venture capital channel, including promising future, mustard money, starting point finance, predestined credit, Ruyi loan, ultrafast loan, etc. "One of the most important uses of these data is for fixed-point promotion of '714 anti-aircraft gun' online loan companies."
"714" refers to 7 or 14 days, and "anti-aircraft artillery" refers to excessive "beheading interest" and overdue fees. In 2019, CCTV 315 program exposed the "714 anti-aircraft guns" chaos of cash loans. Key information includes: disguised beheading, high overdue interest rates, "desperate" collection, and loan supermarkets as accomplices.
On March 20, 2019, the China Internet Finance Association issued the Notice on Self inspection and Rectification of High Interest Cash Loans and Other Businesses. The notice requires that all members should carry out comprehensive self-examination on illegal businesses such as high interest cash loans, charging "beheading interest", and violent collection, and submit a self-examination report to the Mutual Finance Association before the end of March, and immediately rectify the problems found in the self-examination.
Li Gang claims that most "customers" come from "anti-aircraft gun" online loan companies. "Five yuan for one piece, although the price is high, the resources are good and the conversion rate is high." He said that at present, China's control over "anti-aircraft artillery" is relatively strict, and many platforms have been transferred to Southeast Asia, but there are still a large number of small online loan companies operating privately.
Li Gang said that with the support of data, a company with more than 30 people can pull about 200 new orders and borrow about 500 again a day. "This is the real feedback from a friend company".
"The 'anti-aircraft gun' is a lending mode with the highest cost and high income among private lending, which can accumulate high profits in the shortest time." Li De, a practitioner of a large domestic online lending platform, said.
Li De introduced that the high cost of the "anti-aircraft gun" platform is mainly reflected in two aspects, one is the flow introduction cost, and the other is the collection cost. The "anti-aircraft gun" platform places advertisements on other websites. As long as someone enters the platform registration page through the advertisement, no matter whether the loan is successful or not, they will pay the traffic fee. Generally, the cost of a single flow on the online loan platform is between 100 and 200 yuan. If the repayment needs collection, the cost is higher.
Insider leak?
"WeChat checks are too strict, and three WeChat messages have been blocked one after another within a week. I think it is too much advertising." Li Gang, who has been in business for less than two years, constantly complained about the difficulty of doing business. Since the regulatory authorities cracked down on "anti-aircraft gun" online loans in 2019, business has plummeted, and some "anti-aircraft gun" platforms have been forced to move to Southeast Asia.
Li Gang said that when business was good in the past, the demand for data was in short supply, and many sellers even had the idea of "watering down" the data, adding fake data to the real data. "But you can rest assured that the data I sell is absolutely true, and these are all data obtained from the internal staff of 360 Debit Notes."
"Can I verify the data?"
"What to verify? Send you some data for trial." Immediately, Li Gang sent an Excel. The data table shows that the product type is marked with 360 IOUs, and the submission time is June 5, 2019. Each information displays the loan order approval status, as well as the loan limit, user name, and mobile number.
"Some buyers can tell whether the data comes from within the company, but some customers do not care about these, and the data is easy to use," said Li Gang.
360 debit note user information sold by seller Li Gang
Li De revealed that at present, personal information leakage can be roughly divided into three ways. One is that individuals leak information unconsciously. The second is that enterprises or individuals with a large amount of data intentionally leak confidential information and enter the black chain. The third is that criminals invade the network database of relevant enterprises and departments through technical means to obtain a large amount of personal information.
"Most people often say that hackers steal data, but this kind of theft needs strong technical support. Real hackers have a wide way to make money, and they don't look at these data at all." Li De said that criminals whose technology does not reach the level of hackers can also crack individual systems if they are lucky, but the amount of information stolen is very limited.
In his opinion, the main reason for information and data leakage today is that there are internal demons. The loan data of his company is open internally, and anyone can extract and sell the data. There are many types of data, including the borrower's name, contact information, ID card number, as well as the relevant content information of the mobile phone address book, graphics information, etc. Some loan companies even require the borrower to provide nude photos. Without the consent of the other party, it is entirely possible to sell the other party's nude photos, charging according to the size of the capacity. The amount is too large to calculate, or even sold in packs.
Li De said that a friend of his once engaged in data sales, which belonged to terminal retail data merchants, mainly sold "senior official" data. The price of a piece of data was about 1000 yuan, and the price of his relatives' data was 300 to 500 yuan. His friend, as a seller, only got 10% commission, so his wife is the most profitable person.
"I heard that an insider bought two suites in Hangzhou in less than half a year by selling the data of a well-known e-commerce company, but he was caught later." Li De said that most of the insiders only provide data, not sell data, and get a share from the sales channels. Almost all major channels and retailers flatter these insiders.
Hotbed of crime
In the gray Jianghu of underground transactions, "slang" has become a common rule for both parties. "Sfz" stands for "ID card", "sjh" stands for "mobile phone number", "bc" stands for "gambling", and gambling, marketing, etc. represent the use direction of such data.
In Li De's view, the main sales channels of user privacy data are online loans, gambling, collection, marketing and pyramid schemes. He analyzed that marketing agencies are mainly used to find target customer groups; Gambling institutions are to provide services such as pornography, gambling and drugs, most of which are fraud gangs; The collection institution is mainly to accumulate the user database.
Li De's friends have experienced "violent collection". His friend once received a strange phone call, and the other party claimed that if he did not pay back the money, he would send insulting text messages to his friends and friends' families, publish nude photos of PS, and even make personal attacks. At that time, his friend chose to call the police, and finally ended up with nothing.
"Have you heard of naked loans? Some women borrow money with naked photos as collateral. If they don't pay back on time, the online loan company will threaten them to expose the naked photos, but some people have no intention of paying back the money." Li De said, these people know that even if they pay back on time, nude photos or videos may flow out, so some of them often use the method of power off or shutdown. "
The "anti-aircraft gun" online loan seems to have huge profits, but it is actually difficult to collect money. Li De said that some borrowers have a low credit rating. When they run out of money, they will make loans on the "anti-aircraft gun" online loan platform, or even sell their ID cards.
In Li De's view, the high interest online loan platform is a "survival" tool for some low credit people, and illegal groups such as collection companies, mafia and pyramid schemes also "love" to call these people's mobile phone numbers to expand their teams.
"I heard that someone once found the personal information of his enemy through the financial platform, and then used the other party's ID number to fake ID cards, and ran many cards, and even used the other party's identity to shout on the Internet to offend netizens. His enemy was not only on the credit blacklist, but also blocked in front of his home and scolded." Li De said.
Li De revealed that after obtaining the data, the fraud gang would first filter the data by the user's age, and their favorite target of fraud was college students. They believe that college students have not yet entered the society and are more likely to be cheated because of their simple nature. Secondly, college students regularly have living expenses remitted by their parents, and the cash is relatively fixed. Thirdly, some college students want to find jobs after graduation, and do not want to appear stains before entering the society. Once this weakness is grasped, the fraudster will tell the other party that if the late fee is not paid on time, the case will be left at the end of the case, affecting employment, and college students will easily follow suit.
According to the data released by the Ministry of Public Security, by the end of 2019, the police had registered 29 criminal acts of fraud using citizens' private data, involving more than 468 million pieces of personal information, and involving nearly 100 million yuan.
Zhang Xihuai, senior partner of Yingke Law Firm, said that at present, the law has clear penalties for the black industry chain involving personal information. As a financial platform, it should be responsible for the protection and custody of user and consumer data. If data leakage threatens public security and causes serious damage, the platform should bear not only civil liability, but also criminal liability.
Supervision to be strengthened
In the past few years, the leakage of personal information and data at home and abroad has occurred frequently. According to media reports, in 2018, the criminal suspect Liu used hacker means to steal the hotel data of Huazhu Group and peddle it on overseas websites, after which he was captured by the police; In 2019, the AI face changing software ZAO under Momo caused an uproar due to the risk of privacy disclosure, and was finally interviewed by the Ministry of Industry and Information Technology. In foreign countries, the data of 57 million Uber drivers and passengers were leaked in 2016; In the same year, Yahoo revealed that 3 billion users' login data had been stolen, and in 2017, 143 million Americans were involved in the disclosure of user information by Equifax, an American credit bureau
Some details record the name, mobile phone number, address, and even the room opening record.
Xue Jun, vice president of the School of Law of Peking University, said that Article 111 of the General Principles of Civil Law stipulates that the personal information of natural persons is protected by law. Any organization or individual who needs to obtain personal information of others should obtain and ensure the security of information according to law, and should not illegally collect, use, process, transmit personal information of others, or illegally trade Provide or disclose personal information of others.
Yang Dong, director of the Internet Security Research Center of the National Development and Strategy Research Institute of Renmin University of China, said that the Criminal Law Amendment (IX), which came into effect in 2015, revised Article 253 of the Criminal Law, and set criminal penalties for illegal collection, reselling, and provision of personal data information. China's laws against theft, illegal access to and purchase of personal information are also vigorously advancing.
Yang Dong believes that at present, China's criminal punishment has been very strong, especially for insiders who directly illegally steal or illegally obtain citizen information, they will be sentenced to three to seven years of fixed-term imprisonment and a fine, and the unit and the person in charge of the unit will also be punished.
At the same time, Yang Dong said frankly: "The criminal law focuses on the afterwards attack. Although the attack is the largest, the scope of the attack is small, and the number of criminal punishment cases is not too many." He said that compared with windfall profits, the cost of criminals' illegal activities is still low, and they can even evade responsibility overseas.
Abroad, the EU has implemented strict data protection regulations GDPR. GDRP is the abbreviation of the General Data Protection Regulation, which is a bill formulated by the European Union legislature in response to the high incidence of information and privacy data leakage cases in Europe. This regulation clearly stipulates that the company needs to establish a data protection officer DPO (similar to CEO and COO senior management positions) to be responsible for personal privacy data protection.
According to the data in the White Paper on Selected GDPR Law Enforcement Cases jointly prepared by ZTE Data Protection Compliance Department and Data Law Union, as of September 24, 2019, 22 European data regulators had made administrative penalty decisions totaling 370 million euros for 87 cases.
Referring to personal data protection suggestions, Yang Dong further suggested that, first, we should strengthen protection in advance and in the process, and strengthen internal control; Second, we should improve the awareness of individual self-protection; Third, we should strengthen positive incentives.
Xue Jun believes that if we want to fundamentally solve the problem of information disclosure, we should also rely on advanced technology. In the link where personal privacy and information disclosure may occur, we should use technology to anonymize information. Only the system can identify these anonymous information, but the actor cannot identify and obtain them.
(At the request of the interviewer, Wang Yong, Li Gang and Li De are pseudonyms in the article)
(Editor in charge: Du Wei (intern), Wang Zhen)
