On Oct. 21, 2022, an individual using the alias “OKE” peddled what was described as the household registration data of more than 23 million Taiwanese citizens on the hacker website BreachedForum. To whet the appetite of potential buyers, OKE made public 200,000 records of people from Yilan County. 

Taiwan's household registration data on the hacker website

“Some friends checked and felt the personal information was genuine, but the government stayed silent. The information was selling for only US$5,000, so those friends pooled their money and bought it,” recalled “Xiao Lo” (a pseudonym), who is active in social communities in Taiwan’s civil society.

Taiwan citizen data for US$5,000

The buyers could not publicly release the actual records, because under Taiwan’s Personal Data Protection Act it is illegal to hold personal information.

But it was not the first time information had been leaked from Taiwan’s household registration system.

In 2020, there was a hacker who claimed to have 20 million pieces of household registration information and was openly offering it on the market. At the time, Taiwan’s Department of Cyber Security said the information originated from several different databases.

But many experts familiar with government data leaks said the incident in October 2022 was unprecedented.

A white hat (ethical hacker) identified as “Benjamin,” who also paid the US$5,000 to buy the leaked records, is one of them.

“This was the first time in history that the household registration records of all of Taiwan’s citizens were publicly offered for sale,” Benjamin said. 

Data puzzle fueling fraud     

“This was a major national security incident,” said Kenny Huang (黃勝雄), the managing director and CEO of the government-funded Taiwan Network Information Center (TWNIC). He said he had not heard of any country facing as massive a leak of citizen information as Taiwan.

In trying to explain the magnitude of the incident, Naiyi Hsiao (蕭乃沂), chairman of National Chengchi University’s Department of Public Administration, stressed that “household registration information is at the very core of government information.”

Over the past few years, successive scandals using personal information as a tool to commit fraud have dealt a fundamental blow to Taiwanese society’s trust in the system.     

Simon Yeh (葉奇鑫), managing partner of the Davinci Personal Data and High-Tech Law Firm and a former prosecutor focused on computer crimes, said fraud rings are growing ever more sophisticated.

“Hackers today can cross-check more data and build databases of individuals’ kinship relationships. The more complete the data, the easier it is to get people’s trust and engage in financial fraud,” he said.

An official in the Criminal Investigation Bureau’s Research and Development Division, Huang Han-wen (黃翰文), explained that “data puzzles” are critical nodes in what have been described as the “fraud industry chain,” with specific people responsible for piecing together information from different sources. The more complete the puzzle they compile, the higher its value.            

Now, because of the leak of this incredibly complete household registration information, others with bad intentions can use it to more easily piece together other leaked personal data, in effect helping trigger more fraud in the future. 

Yet, the government’s reaction, specifically the reaction of the Ministry of the Interior (MOI), which oversees the Department of Household Registration, and the Ministry of Digital Affairs (MODA) has been lackluster, one could even say absurd, at four different levels. 

Evasive government response

Absurdity 1: Not admitting to a personal data leak

On the day the leaked information was being offered, the MOI issued a “clarification.” “The information was not leaked from the Ministry of the Interior’s Department of Household Registration website,” it said.  

The Ministry of Digital Affairs’ Administration for Cyber Security also dismissed the incident. 

“BreachedForum is suspected of selling citizens’ personal information and is describing it as household registration data from the Ministry of the Interior. This is not true,” the ministry said.

At the end of 2022, the MOI’s public stance started to shift. It no longer excluded the possibility that information “leaked through other channels,” but would only say that prosecutors were investigating the case and that the investigation would remain confidential.

To Xiao Lo, the government was playing semantics, prompting him to disclose publicly the true nature of the leaked information.

Opening the CSV file (a text file that stores data by separating data entries with commas) released by Xiao Lo, there were 39 columns showing different information categories, from date of birth, gender, and ID No. to household number and head of household to biological and/or adoptive father and mother’s names and ID Nos.

“Other than household registration agencies, what other government agencies or private entities would have household numbers and the names of heads of households?” Xiao Lo asked.

Absurdity 2: Major information incident not reported

“If the government does not treat these issues with urgency, the public will no longer trust its governance,” said the TWNIC’s Huang.   

CEO of Taiwan Network Information Center (TWNIC) (Source: Chien-Tong Wang)

But the government’s reaction seemed to indicate a lack of concern.

According to Taiwan’s Cyber Security Management Act, cyber security refers to efforts to “prevent information and communication systems or information from unauthorized access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and systems.” Based on that definition, the leak of household registration clearly compromised cyber security.

Also, a provision of the “Regulations on the Notification and Response of Cyber Security Incidents” says that any leak of official secrets or sensitive information is a major information security incident. Once a public agency learns of such an incident, it must notify a regulatory authority, complete recovery and damage control, and submit within one month a report on the incident’s investigation, handling and response. 

“The purpose of this mechanism is to find the information security vulnerability, quickly patch it up, and discuss paths for improvements,” Huang explained. 

Four months after the personal information of Taiwan’s citizens was peddled online, the MOI had still not issued a notification of a major information security incident.

Because the Department of Household Registration has yet to admit that the leak was of household registration information, it has not notified the millions of people whose data was leaked as required by the Personal Data Protection Act.

Peppered about the situation by CommonWealth Magazine, the MOI’s final response was “the case is currently being investigated, and related issues will all be answered by the MODA.” 

MODA Deputy Minister Lee Huai-jen (李懷仁) said that after a forensic investigation, the MODA confirmed that the Department of Household Registration was not hacked and there were no signs of abnormal access. 

The leak was therefore classified not as a “cyber security incident” but as a “personal data leakage incident” based on the definition of “cyber security incident” found in the Cyber Security Management Act, meaning it was not a case in which the MODA could intervene, Lee contended.

That would be like saying that in burglary cases in which valuable items were stolen, the MODA would only be responsible for those in which windows were broken, there was evidence of an intrusion, and fingerprints and footprints could be found at the scene, and would not be responsible for any cases outside of that scope. 

In addition, the MOI, which did not fulfill its custodial responsibilities in the case, did not submit a report on potential improvements as was required based on standard operating procedures.   

The MODA’s legal opinion was not convincing to information security and legal specialists.  

“Information security cannot be reduced to internet security. Internet security cannot be reduced to hacker intrusions,” said Thomas Wan (萬幼筠), managing director of Ernst & Young Taiwan Management Consulting.

Absurdity 3: Closed door, silent treatment

Despite Lee’s contention, the government is capable of taking a hard line on potential incidents, and has done so in the past.

One example came in June 2019, when the Ministry of Civil Service (MOCS) learned that 590,000 pieces of personal information on civil servants were being offered on a foreign online forum. Though the ministry was not immediately able to confirm whether the information was genuine, it still reported a Level 1 information security incident as required by law.

When it confirmed the next day that the information had, in fact, come from the ministry, it reported the incident again but at a higher level of importance.

Three days later, the MOCS released its preliminary findings and collaborated with the Executive Yuan’s Department of Cyber Security, the Ministry of Justice’s Investigation Bureau, and the Criminal Investigation Bureau on information security testing and a related investigation.

In the October 2022 cyber security incident that had a much broader impact, however, the MOI chose not to admit it and not to report it, instead deciding to handle it behind closed doors.

At the end of last year, the MOI very quietly revised the “Regulations Covering Agency Applications for Household Registration and Kinship Relationship Information” (各機關申請提供戶籍資料及親等關聯資料辦法). The main revisions included stipulations that: 

1. Information cannot be exchanged using portable storage tools such as CDs or flash drives;
2. Agencies applying for information must attach a document certifying the cyber security level of responsibility; and
3. The applications must clearly show for how long the information is to be used and the time by which it will be destroyed.

According to an information security expert familiar with how the government operates, the revisions indicated that the MOI discovered a vulnerability in the procedures for exchanging household registration information and that the leaked information being peddled online could have been leaked through another agency or an outside contractor.

That would not be surprising, given that the 70 agencies around Taiwan able to connect to the household registration system have vastly different security clearances. By law, for example, the MOI’s information security level is Level A while that of an outside contractor is Level C.    

On Jan. 10, 2023, comments by Deputy Interior Minister Hua Ching-chun (花敬群) to lawmakers were seen as an admission that household registration information leaked out through indirect channels.

“There are many possible causes of the leak, but it did not come from the Department of Household Registration system,” Hua said.

One government official came to the MOI’s defense, saying: “it’s like if the MOI lent a key to another party and that party lost it, would the MOI be to blame?”

But New Power Party lawmaker Chiu Hsien-chih (邱顯智) dismissed that thinking. “The leaked information was household registration information, so of course it’s up to the MOI, which is responsible for safeguarding information, to investigate the case. 

Absurdity 4: No independent regulator

The autopsy of the cyber security incident cannot rest simply at the level of “clarifying how the information was lost.” It must also confront whether existing laws can protect citizens’ personal information, because it is plainly clear at present that they cannot.

Article 18 of the Personal Data Protection Act stipulates that government agencies that have personal information files must assign dedicated personnel to protect them and prevent them from being stolen, altered, damaged, destroyed or disclosed. 

The problem is that there are no penalties for agencies that violate this clause. They only have to notify the parties whose information may have been compromised if a breach occurred after looking into the situation.

As for private entity violators, a central competent authority responsible for that entity can fine them between NT$20,000 and NT$200,000.

“Not only are the penalties in the existing Personal Data Protection Act too lenient, public agencies don’t even have consistent standards,” said Ernst & Young’s Wan.

A major reason why the MOCS reported its major personal information leak but the MOI did not was the lack of an independent regulatory agency, which allows by default each agency to march to its own beat. 

In contrast, Europe’s General Data Protection Regulation (GDPR) applies to all EU member states, and each state is required to set up one or more “independent public authorities” that supervise data protection and also regulate companies and governments. The GDPR also clearly mandates that personal data breaches should be reported within 72 hours, and failure to do so is subject to a fine of up to 10 million euros or 2 percent of a company’s annual revenue from the preceding year, whichever is higher.

The Executive Yuan, the administrative branch of Taiwan’s government, recently announced that it is considering legal revisions to increase fines for “non-public agencies” that violate the Personal Data Protection Act and to set up an independent agency to protect personal information.

But aside from demanding that private entities safeguard personal information, the government should also take the lead by showing more urgency in tackling information leaks. When a breach occurs, it should make it public and notify the people involved if it hopes to limit the damage.

President Tsai Ing-wen has often stressed that “information security is national security.” But when her government faced a national security crisis with the leak of household registration information related to Taiwan’s 23 million citizens, it failed the test, leaving people to wonder how really safe their personal information is. 

---

Have you read?

• Could crypto ATMs be breeding grounds for fraud in Taiwan? 
• A cyber timebomb is ticking, is Taiwan at risk? 

Translated by Luke Sabatier
Uploaded by Ian Huang