Personal data leak affects thousands of Vietnamese

The leak was posted on Raidforums, a forum where data leaks by hackers are often displayed and put up for sale, by an account named Ox1337xO on Thursday. The account allegedly revealed the possession of a large amount of Know Your Customer (KYC) data: 17 GB worth of Vietnamese identity card information, including faces, addresses, phone numbers and emails.

A 1.4 GB file is estimated to contain the information of 3,600 people.

The account put the files on sale for $9,000, to be paid either through Bitcoin or Litecoin.

A cybersecurity expert said they had contacted the account, who claimed the 17 GB worth of data contained the information of up to 10,000 Vietnamese.

The info contained within an identity card could be used to sign up for several accounts, including those in the communications and financial fields, which could prove "troublesome," said Pham Tien Manh, a cybersecurity expert based in Hanoi.

Vo Do Thang, director of cybersecurity firm Athena, said there was nothing ordinary users could do to protect their data. The responsibility now lies on whoever let the data be leaked in the first place, he added.

In the comment section of Raidforums, the Ox1337xO account admitted to accessing the data via Pi Network, a digital currency platform that hosts the "Pi" currency. The platform has raised concerns regarding its transparency since it does not publicize its own source code.

"If it were truly Pi that leaked the data, I will consider leaving behind the 'Pi' coins I've earned," said Ngoc Nam, a new user to the "Pi" mining scene.

However, other miners believe the leaked data could not have come from Pi Network, as the platform neither directly verifies its users' info nor requests pictures of identity cards.

Phien Vo, a moderator of a group discussing Pi Network, which has over 70,000 members in Vietnam, said it is not accurate to say it was Pi Network that leaked the data, as the platform processed KYC data through another third party system called Yoti, a digital identity verification site. Yoti accepts identity cards from 62 countries and territories, but the list does not include Vietnam, he added.

"To perform KYC verification on Pi Network, Vietnamese would need to use their passports. Only some users who used earlier versions of Pi could perform KYC verification using their driver licenses, but so far the system has yet to accept Vietnamese identity cards," he said.

On Monday, the Ministry of Public Security's cybersecurity division launched an investigation regarding the incident. A representative said authorities are trying to discover where the leak came from and how the info got leaked.

To An Xo, office chief of the public security ministry, said the leaked data might be funneled abroad and put up for sale online due to the fact that many services require identity verification.

As of Sunday, the original data leak thread on Raidforums has been deleted.

This is not the first time Vietnamese have experienced a major online data leak. Earlier this year, around 300,000 Vietnamese data profiles, including full names, addresses and phone numbers, were also leaked on Raidforums.