Mass Data Leaks Sound Alarm About Taiwan’s Cybersecurity

Recent Features

Flashpoints | Security | East Asia

Mass Data Leaks Sound Alarm About Taiwan’s Cybersecurity

Underlying the leaks is the real concern that sensitive personal information could end up in Beijing’s hands.

Mass Data Leaks Sound Alarm About Taiwan’s Cybersecurity
Credit: Depositphotos

A series of incidents over the past three months raised concerns in Taiwan about data security. Particularly worrying is the possibility of sensitive information about the Taiwanese public – including high-ranking members of the Taiwanese government – ending up in the hands of the Chinese government.

In late December, news broke of a purported leak involving the household registration of close to all Taiwanese citizens. The data was being sold on the BreachedForum website and involved 23.57 million pieces of information that had apparently been stolen from the Ministry of the Interior’s Department of Household Registration.

To prove that it was genuine, 200,000 pieces of information were viewable as a sample. This included information on the residences of Vice President William Lai, National Security Council Secretary General Wellington Koo, and Minister of Economic Affairs Wang Mei-hua. Particularly concerning is that it is thought that this information is likely to end up in the hands of the Chinese government.

A whistleblower who took the information to the Taiwan People News (民報) has stated that the information was leaked onto the Dark Web in May 2020 by the hacker TooGod. Supposedly, the information is from 2019. There have been reports about the leak of over 20 million household registrations since 2020, though there has been a lack of clarity about whether a data breach actually took place. In response to the leak, the Ministry of the Interior insisted that the information is outdated, as it uses a formatting system that is no longer in place.

The account that was selling the data on BreachedForum was also selling 1.68 million pieces of information from the Taiwan Stock Exchange and 28.11 million pieces of information from the Bureau of Labor Insurance.

In a similar timeframe, in January, there was a public outcry after it was reported that prosecutors were investigating three former National Health Insurance Administration (NHIA) employees on charges that they leaked data from Taiwan’s National Health Insurance (NHI) system to China. Two NHIA employees surnamed Hsieh and Lee were found to have conducted searches into 133,000 and 35,000 entries respectively, with Hsieh searching over 100,000 entries in 2018.  The purportedly leaked data was from 2009 to 2022.

The NHIA has stated that it did not find any evidence that the accused employees stored the data and that they accessed the data as part of statistics research.

Following reports by Mirror Media (鏡週刊) that former NHIA chief secretary Yeh Feng-ming may have had 1 billion Taiwanese dollars in overseas accounts, media speculation centered around Yeh working in collusion with Hsieh and Lee to sell this data to China over 13 years, potentially placing a focus on stealing the data of national security personnel.

Democratic Progressive Party (DPP) legislators such as Michelle Lin and Liu Shih-fang have suggested that China seeks to cultivate ties among NHIA personnel by way of cross-strait exchanges. Both legislators have criticized the NHIA for failing to reassure the public.

Concerns about a possible leak of NHIA data are likely to affect future academic research using government health data. A research project by Academia Sinica’s Institute of Biomedical Sciences for matching patients to medicines based on genetic information, which uses the genetic information of 600,000 patients, was criticized by DPP legislator Huang Kuo-shu earlier this month for potentially violating the Human Biobank Management Act. Apart from concerns about whether there are sufficient opt-out mechanisms for patients to avoid infringement of their privacy rights, there are likely concerns that this information could end up in Beijing’s hands. The Chinese government has been reported as collecting the genetic information of Uyghurs, Tibetans, and other ethnic minorities.

Data leaks have also impacted the private sector. A database for the car rental service iRent, containing personal information from 140,000 individuals, was found to be accessible online. The information included the name, home address, e-mail address, mobile phone number, driver’s license photo, and partly redacted credit card information of iRent users.

The information was stored on a cloud server owned by iRent operator Hotai Motor Company, without password protection, and was accessible just by IP address. iRent has close to 1.4 million users.

The insecure server was first reported by the US media outlet TechCrunch. TechCrunch first attempted to inform Hotai of the unsecured database but received no response. After TechCrunch contacted the Ministry of Digital Affairs, however, the ministry took action to prevent the database from being accessible.

iRent has stated that it will compensate the 400,000 users that registered with the service since the unsecured database began to be used with free hours. Nevertheless, the Taipei city government has fined the company NT$90,000, and the Ministry of Transportation and Communications has fined iRent a further NT$200,000.

Later on, another car rental service, Car-Plus, was accused by New Power Party legislator Chiu Hsien-chih of having unsecured data on its app, allowing for access to transaction data. Car-Plus has stated that it has since notified the 16,000 users of its app of the data leak.

Since the incident, there have been calls from DPP legislators for the government to create a government body for data security. Most calls for establishing this entity were in the wake of the iRent scandal, rather than after leaks regarding household registration or health insurance information. The iRent scandal was comparatively more reported on compared to the other two scandals.

At the same time, in the past two months, there have been several cases regarding concerns about potential data breaches that involve companies accused of links to China – particularly companies based in Singapore.

One case involves Bondee, a social media app that allows users to create virtual avatars and chat rooms where they can interact with 50 of their friends. Bondee quickly gained traction among designers, musicians, and other creative circles.

However, concerns were raised about Bondee’s resemblance to the Chinese social media app Jelly (啫喱). It seemed to be the same app except rebranded with a different name, even though Bondee was registered as a Singaporean company. Likewise, users noted that Bondee’s user agreement referred to Taiwan as a part of China, which was unusual.

Jelly surpassed WeChat as the most downloaded app in the Chinese app ecosystem in January 2022. But by February 2022, Jelly was removed from the Chinese app ecosystem after users reported spam calls and incidences of fraud after registering. Fears were, then, that Bondee was the same Chinese app seeking to enter the Taiwanese market after being ousted from China over leaking users’ personal information.

Similar concerns have been raised regarding the e-commerce platform Shopee, which now operates several brick-and-mortar stores in Taiwan. Like Bondee, Shopee is a Singaporean company but has been accused of close ties to China, given Chinese investment in the company. Tencent Holdings owned 39.7 percent of Shopee when its Taiwan entity was registered in 2015, though its current stake is now at 18.7 percent.

Taiwanese regulators have been criticized by civil society groups such as the Economic Democracy Union (EDU) for taking a lax hand to Shopee after three network shutdowns accused of compromising the information of Taiwanese users – not to mention that Shopee is already one of the e-commerce platforms in Taiwan with the highest incidences of fraud. According to the EDU, this occurred despite fines imposed on Taiwanese companies for similar network shutdowns. Otherwise, Shopee has been accused of unfair business practices to establish a foothold in the Taiwan market, such as initially not charging delivery fees but later raising its fees substantially, and of being allowed to operate in the Taiwanese market without the backing of a licensed institution by the Financial Supervisory Commission.

The recent incidents raise questions about data security in both Taiwan’s public and private sectors. In Taiwan’s context, a layer of concerns about data breaches or leaks is the possibility of sensitive information ending up in the hands of the Chinese government. It remains to be seen whether there will be concerted action from the Tsai administration on such matters.