Lieutenant General Nguyen Minh Chinh, Director of the Cybersecurity Department (A05, Ministry of Public Security) and Vice President of the National Cybersecurity Association stated that online attacks, data theft, and the sale of personal and organisational data have become increasingly complex, rapidly evolving with various criminal methods, often planned and targeted.
In Vietnam, in the first six months of 2024, there were 2,364 phishing domains targeting users of major organisations, a 1.2 times increase from the same period in 2023. This accounts for 496 counterfeit websites unlawfully using the branding of prominent Vietnamese organisations, quadrupling from the same period in 2023, and 495,000 distributed denial-of-service (DDoS) attacks employing various methods.
Three terabytes of data were encrypted in ransomware attacks, causing an estimated loss of over 10 million USD. Among these, the Lockbit group attacked VNDirect Securities Corporation and the websites of PetroVietnam Oil Corporation (PVOil), Vietnam Postal Insurance Joint Stock Corporation (PTI), I.P.A Investment Group, and IPA Asset Management (IPAAM), resulting in significant losses for these companies.
A key reason for this issue is negligence, which leads to data leakage from various organisations and individuals. In the first six months of 2024, the Technical Monitoring System of the Information Security Department (Ministry of Information and Communications) recorded 90,033 security weaknesses in the information systems of Vietnamese agencies and organisations, with the number of serious incidents handled increasing by nearly 60% compared to 2023.
Viettel Cyber Security (VCS) recorded 46 cases of data exposure, involving approximately 13 million customer records for sale, 12.3 GB of source code, and 16 GB of data. About 17,000 new vulnerabilities were discovered, with more than half deemed high-severity, affecting hundreds of millions of accounts and customer information from organisations and businesses in Vietnam.
The leakage of personal information such as phone numbers, full names, addresses, ID numbers, and bank account numbers has become widespread. Citizens are subjected to frequent scam messages, fake links, and nuisance service solicitation calls.
Nguyen Van Hung, a retiree in Xuan La (Tay Ho district, Hanoi), shared that he frequently receives calls inviting him to invest in stocks, receive vouchers for luxury travel, try liquor, or claim business rewards. Years ago, he purchased an apartment, which may have led to the exposure of his personal information.
Data leaks often stem from user negligence in protecting personal information or implementing inadequate protection measures, such as publicly sharing personal details online or exposing data during transfer, storage, or information exchange.
Common activities like data backup, repairing, selling, or disposing of personal information devices such as mobile phones, computers, and hard drives carry exposure risks, even if users carefully delete the data.
For organisations, vulnerabilities in systems, applications, and software, weak compliance with information security regulations, and inadequate customer data protection policies are significant factors. In some cases, companies intentionally share customer data with third parties for unethical purposes.
The Ministry of Public Security has issued warnings about three main types of online fraud: brand impersonation, account takeover, and combined scams, with 24 scam methods. Cybersecurity expert Ngo Minh Hieu (Hieu PC) noted that data leaks are largely due to a lack of knowledge, inadequate data protection measures, and lax control over data collection, processing, storage, and usage.
Vu Xuan Nguyen, Chairman of the Board of Directors of IGB Joint Stock Company, specialising in software and technology, advised businesses to implement measures to prevent data leaks, including multi-factor authentication (MFA) and access control management to ensure only authorised individuals can access sensitive data. Data should be encrypted at rest and in transit, with end-to-end encryption to ensure only the designated recipient can decrypt and read the information. Continuous monitoring and early intrusion detection with technologies such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are essential, and staff should be trained in phishing recognition, basic security skills, and information handling processes to reduce human error risks.
Regular data backups are also essential for mitigating risks in case of security incidents or data loss. IGB adheres to international security standards like ISO/IEC 27001 and uses SSL/TLS encryption for all online connections.
The National Cybersecurity Association has proposed establishing a cybersecurity information-sharing platform to help organisations proactively respond to incidents, monitor new cyberattack techniques, issue early warnings, support strategic decision-making, protect digital assets, and maintain data safety and security.
The association has also launched the free anti-fraud app, nTrust, for smartphones, which helps detect signs of scams by verifying phone numbers, account numbers, website URLs, and QR codes. The nTrust app has over 1 million verified records, compiled from data provided by the Ministry of Public Security, the Ministry of Information and Communications, the State Bank of Vietnam, and other association member organisations.
On October 8, the association officially launched the VnDPO Personal Data Protection Specialist Training Programme. Trainees will receive intensive training, with 60% of the programme focused on hands-on practice. Through the National Malicious Domain Alert System, by June 2024, the Information Security Department (Ministry of Information and Communications) had blocked 3,170 online scam websites, protecting over 10 million citizens from fraudulent websites and illegal activities.