news

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

recently, ms. li from shenyang, liaoning reported to china national radio that on june 29, 2023, she bought a round-trip ticket from shenyang to chengdu on the official wechat applet of china southern airlines co., ltd. (hereinafter referred to as "china southern airlines"). however, the night before the plane took off, she received a call from someone claiming to be "airline customer service", saying that the plane canceled the flight due to mechanical failure. since the other party could accurately report the victim's name, mobile phone number, id number, ticket price and flight information, she believed it. then, the other party instructed her to handle the online refund and change business according to the process, and said that she could claim flight delay insurance. in order to successfully get the refund and compensation, she followed the other party's requirements, but was defrauded of more than 440,000 yuan.

ms. li believed that her identity information and flight itinerary information were personal information, and china southern airlines failed to fulfill its obligation to protect personal information in the process of processing personal information, which resulted in the leakage of personal information and the exposure to telecommunications fraud. in order to protect her legitimate rights and interests, she filed a lawsuit with the court. on september 11 this year, the case was heard in the yuhong district people's court of shenyang city, liaoning province. the case was not sentenced in court.

li xinlin, deputy director of the safety production and quality management department of china aviation information technology co., ltd., once said in an interview with the media that the entire air ticket booking process involves multiple entities, including ota (online travel distribution platform), airlines, airports and china aviation information technology co., ltd. if any link fails to protect the personal information of passengers, it may lead to the leakage of passengers' personal information.

li xinlin introduced that starting from august 2024, china aviation information network has enabled the login sms verification function for individuals using their work numbers in the air ticket distribution system in batches, strengthened the two-factor authentication in the login process, and reduced the risk of passenger information leakage.

incident: passenger suspected of being defrauded of 440,000 yuan after purchasing air tickets on china southern airlines official wechat account

ms. li told reporters that she is a loyal user of china southern airlines. she usually chooses to take china southern airlines flights for business trips or outings, and she also orders tickets on china southern airlines' official mini program. on the afternoon of june 29, 2023, she bought round-trip tickets from shenyang to chengdu on july 20 and july 23 on china southern airlines' wechat mini program, and actually paid a total fare of 2,640 yuan.

the indictment provided by ms. li shows that on the evening of july 19, she received a call starting with 192. the caller claimed to be a customer service representative of china southern airlines, claiming that the flight from shenyang to chengdu had to be canceled due to a mechanical failure. the caller was able to accurately report her name, mobile phone number, id number, ticket price, and flight information (departure time, departure place, destination, flight number), and also guided her to handle the online refund and change business according to the process, and said that she could claim flight delay insurance.

the indictment stated that in order to successfully obtain a refund and compensation, ms. li followed the other party's instructions step by step. during the process, the other party told ms. li that her personal credit was problematic, and then defrauded her of more than 440,000 yuan through a series of actions including face recognition and screen sharing. this included the loan that the fraudster tricked ms. li into applying for at the bank.

ms. li's record of purchasing air tickets on china southern airlines' official mini program (photo provided by the interviewee and released by china national radio)

ms. li said that she was manipulated by the telecom fraud criminals because of her trust in china southern airlines. she transferred money to the bank accounts of lian moumou, li mou and other five people six times, but finally found out that she had been defrauded when she had no money to transfer.

ms. li said that after she discovered she had been cheated, she called china southern airlines for an explanation, but the airline told her that the flight was normal, suggested that she call the police, and mailed her a small gift, but she did not accept it.

"china southern airlines did not offer any substantial compensation or apology." she said that she later complained to the civil aviation administration, but the mediation failed to make any substantial progress as china southern airlines refused to make a full refund for her unused ticket.

the indictment provided by ms. li shows that according to the civil code of the people's republic of china and the personal information protection law of the people's republic of china, her identity information and flight itinerary information are all personal information and are protected by the civil code and the personal information protection law. china southern airlines, as a personal information processor, failed to fulfill its protection obligations in the process of processing her personal information, resulting in the leakage of personal information. therefore, the plaintiff suffered telecommunications fraud and suffered economic and mental losses. china southern airlines should bear the tort liability for damages. in order to safeguard the legitimate rights and interests of the plaintiff, ms. li filed a lawsuit with the court.

ms. li told reporters that she requested the court to order the defendant, china southern airlines, to pay a total of more than 470,000 yuan in compensation, including economic losses due to fraud caused by the leakage of personal information, compensation for mental damage, and paid but unused ticket prices.

trial: did china southern airlines leak information?

on the morning of september 11, the yuhong district people's court of shenyang city, liaoning province opened a hearing on the case.

during the trial, ms. li's agent, beijing dingshi law firm's lawyer pang lipeng, stated in court that the defendant, china southern airlines, violated its obligations as a personal information processor, failed to properly protect the plaintiff's personal information, and leaked the plaintiff's personal information. according to the "personal information protection law of the people's republic of china", personal information refers to various information related to identified or identifiable natural persons recorded electronically or otherwise. in this case, the flight information obtained by the plaintiff after ordering a ticket on the defendant's official website, including name, id number, contact information, etc., obviously falls into the category of personal information and should be protected by the personal information protection law and the civil code.

ms. li received a call from someone claiming to be a customer service representative of china southern airlines and was defrauded (photo provided by the interviewee and released by china national radio)

during the trial, pang lipeng stated that personal information processors should follow the principles of legality, legitimacy and necessity when processing personal information and take necessary measures to ensure the security of personal information. as a personal information processor, china southern airlines has the obligation to ensure that the personal information of the plaintiff is properly protected in the process of providing ticket booking services to the plaintiff, and has the obligation to ensure the security of the personal information it collects, and should prevent the leakage, damage and loss of information.

in this regard, china southern airlines believes that the data transmission and storage process of passengers' sensitive information has been encrypted and desensitized, and the information system and mobile program meet the national network security level requirements. china southern airlines has not leaked the plaintiff's information. secondly, after the passenger purchases the ticket, his information will also be transmitted to the china civil aviation departure control system for check-in, etc. therefore, the security loopholes of the airport system and the plaintiff's mobile phone itself may become the link of information leakage. china southern airlines is not the only party that holds the plaintiff's information, and the plaintiff has not submitted evidence to prove that china southern airlines is the only source of the plaintiff's information leakage. it should bear the adverse consequences of failing to provide evidence.

however, pang lipeng believes that the plaintiff, ms. li, does not need to provide evidence to prove the fault of china southern airlines as a personal information processor. it is up to china southern airlines to provide evidence to prove that it is not at fault. it should not only prove that it has fulfilled its security obligations from the macro level such as system information security, but also prove from the micro level that it has taken reasonable measures in the process of collecting, using and processing user information regarding the leakage claimed by the plaintiff.

focus: does china southern airlines need to bear compensation liability?

during the trial, pang lipeng believed that there was a factual causal relationship between china southern airlines' tortious behavior of omission and ms. li's damages. in this case, the defendant's infringement of the plaintiff's personal information rights and interests was a typical tort of omission. the defendant failed to fulfill its obligation to ensure the safety of the plaintiff ms. li's personal information, which was a passive tort. if china southern airlines' actual behavior was replaced with legal and appropriate behavior, that is, if the defendant china southern airlines properly protected the plaintiff's personal information, and the plaintiff's personal information was not leaked, the fraudster would not be able to obtain the plaintiff's aviation information and other related personal information, and would not be able to commit fraud against the plaintiff based on the information, then the damage would inevitably not occur. therefore, there was a factual causal relationship between the defendant china southern airlines' tortious behavior of omission and the plaintiff's damages.

in response, china southern airlines stated that according to the plaintiff's complaint, the plaintiff's loss was caused by fraud. therefore, before the criminal case is solved, it cannot be confirmed that the plaintiff's ticket purchase information was leaked by china southern airlines, and the plaintiff's losses should be pursued through criminal procedures. in addition, after the plaintiff received a call from "someone claiming to be a china southern airlines employee", he made multiple transfers without verification and confirmation, and the amount was obviously greater than the amount of his ticket purchase, indicating that the plaintiff was obviously negligent and his failure to fulfill the corresponding duty of care was also one of the reasons for the damage. his injury has nothing to do with china southern airlines.

china southern airlines believes that there is no disclosure of the plaintiff's personal information, and the refunded ticket amount has been returned to the plaintiff. the plaintiff's lawsuit request has no factual and legal basis. on september 11, the yuhong district people's court of shenyang city, liaoning province, told reporters that the case is still under trial and it is not convenient to accept interviews.

case: how do scammers obtain passengers’ flight information?

the reporter retrieved a judgment document on the china judgment documents network. according to a ruling issued by the intermediate people's court of heze city, shandong province, the defendant yu mouxue said that she was an external employee of a beijing air travel co., ltd., responsible for handling abnormal flights of a certain airline. she could see all passenger information of the airline's delayed and canceled flights, including flight number, passenger name, id number, contact information, flight date, departure time, ticket number, etc. one day in 2017, one of her qq friends purchased aviation passenger information from yu mouxue at a price of 5 yuan per piece, and was willing to pay first. after receiving 5,000 yuan, yu mouxue exported more than 700 passenger information from the system and sent it to the person. after that, wang mouxue successively provided him with thousands of passenger information.

a ruling issued by the intermediate people's court of heze city, shandong province (photo source: china judgment documents network, china national radio)

yu mouxue's buyer yang mougui said that someone had contacted him and asked him to buy flight information and engage in online fraud together. yang mougui found yu mouxue, spent 20,000 yuan to buy the passenger information, and then sent a message to the passenger on his mobile phone, which roughly said "dear passenger, the xx flight you are taking has been cancelled and needs to be rescheduled. please contact: xx".

yang said that some passengers would call after seeing the text messages, so he and other fraudsters would deceive passengers by saying that the flight was cancelled, thereby further defrauding them. yang said that he participated in the fraud of about 6 people in total, and the gang made a total profit of about 40,000 yuan.

the court finally found that yu mouxue was guilty of infringing on citizens' personal information and sentenced her to three years and six months in prison and a fine of rmb 8,000; yang mougui was guilty of fraud and infringing on citizens' personal information and was sentenced to 14 years in prison and a fine of rmb 108,000.

behind the scenes: who leaked personal information?

the reporter found that on many social platforms, many passengers reported that after purchasing their tickets, they received calls from people claiming to be airline staff, claiming that they needed to refund the fees due to flight changes. because the other party could accurately tell the passenger's flight information and personal information, many people were deceived and suffered financial losses.

among them, in the second half of last year, some netizens reported that they searched for flight information and booked tickets on an app. subsequently, three people received fraudulent calls. the other party claimed to be the airline’s customer service and asked them to provide their alipay account for compensation on the grounds that the flight was cancelled due to mechanical failure. they could also report the passengers’ names, phone numbers, id cards, flight information, etc.

in response, the civil aviation administration of china said that it attaches great importance to data governance, conscientiously implements relevant provisions such as the cybersecurity law, the data security law, and the personal information protection law, and has successively issued a series of "7+1" smart civil aviation data governance specifications (7 industry standards and 1 information notice) to guide and regulate industry units to carry out data sharing, data services, data security and other work. at present, in order to implement the relevant requirements for data classification and grading protection in the civil aviation field, the civil aviation administration is compiling relevant documents to further strengthen the protection of important data. at the same time, the civil aviation administration will actively coordinate with the public security organs to carry out relevant strict investigations and crackdowns on issues such as passenger information leakage by third-party network channel agency companies.

on september 12, wu shenkuo, doctoral supervisor at the law school of beijing normal university and deputy director of the research center of the internet society of china, said that the risk of leakage of personal information may have a lot to do with the path of circulation and utilization of personal information. this is because the ticket booking process is complicated and involves many parties, including online travel platforms, airlines, and agents that passengers can access, as well as intermediaries and terminal systems such as china aviation information and operators. there is a risk of data leakage in any link.

wu shenkuo said that when passengers enter their personal information, they should pay special attention to the legitimacy and legality of the website and app. if some apps or web pages are fake, the personal information of passengers may have been illegally collected when they enter the information. secondly, personal information may be shared between service providers. in the process of information sharing, special attention should be paid to whether the relevant service agreement has any provisions on the collection and circulation of personal information. at the same time, service providers should also avoid the abuse of such personal information, especially the illegal provision.