Hacking, gone off the rails: Holiday travelers react to data breach

3 min read


If you can’t see the YouTube player above, try watching here.

Train passengers may be riding into the Chinese New Year with concerns about data loss after thieves listed millions of train passengers’ information for sale on the black market.

China’s official rail authority, China Railway, blamed a recent hacking on third-party ticketing vendors, often thought to be more convenient, though perhaps less secure, than the official railway ticketing platform, 12306.cn. Earlier this week, it was reported that China Railway moved to limit third-party apps’ access to train tickets.

Some Chinese consumers, it seems, value the convenience of third-party applications over the ostensible security of official platforms, even when that may lead to data theft.

A student who was traveling with his friend from Hebei port city Qinhuangdao to Beijing Railway Station for a college entrance exam told TechNode that although the official site might be more secure, he prefers to use third-party apps like WeChat or Ctrip. He said, “I feel like third-party apps are more convenient than the official booking platform. They also offer more promotions and discounts.”

While Chinese consumers do care about data privacy, a 2015 Harvard Business Review study found that they were willing to pay less to protect most types of private data than their American, British, and German counterparts.

Many Chinese passengers told TechNode they were unconcerned about hacking because they believed their personal data wouldn’t be used for nefarious reasons.

One college student said, “Sometimes this information is used for advertising or communication purposes. It’s not like personal information was violated. I’m not really worried.”

But some Chinese consumers are deeply aware of the risks of online commerce. A 25-year-old technology worker, who asked to be referred to only by her initial, M, so that she could speak candidly about the industry, told TechNode that she was afraid to use smaller, third-party applications. She believes these platforms tend to be managed by younger, less experienced developers.

She said, “Sometimes it is because [smaller platforms] simply don’t have the manpower, sometimes it is caused by vulnerabilities in their server or the third-party services they use, including cloud services. All of these factors are possible.”

Passengers wait for a train at Zhenjiang South Railway Station. (Image credit: Cassidy McDonald/TechNode)

According to a 2018 report by Tencent research arm Penguin, 60% of Chinese consumers occasionally worry about data leaks, and are most concerned about their data being used for fraud, being resold to third parties, or leading to spam calls.

Jia Sen, 24, said that he is often pestered by spam calls offering to sell him a house, but he doesn’t believe he has any way to avoid them. He, like many consumers, buys tickets on whichever platform has seats available.

China Railway has denied the claims that there was a data breach and warned passengers to avoid booking their tickets on unauthorized third-party apps—in particular, ticket-snatching software and plug-ins.

12306.cn recently rolled out a new feature that it claims is faster than ticket scalping programs, which previously drew droves of customers looking to snap up much-coveted tickets during the Chinese New Year period.

Jia told TechNode that he hasn’t worried about personal information being stolen from ticket booking sites. “There isn’t that much information on there,” he said. “Only my phone number, ID number, and my name.”

The Dec. 28 ad, which listed 12306.cn passenger information from over 600,000 user accounts involving more than 4.1 million passengers, reportedly included names, ID numbers, phone numbers, email and account usernames, and passwords. The usernames and passwords were proved to be valid and could be used to log into 12306.cn’s user accounts.

Police said that an investigation led to the arrest of a 25-year-old suspect who allegedly purchased account details on the dark web, then used them to gain access to more data held by third-party ticketing platforms.

This is not the first time the platform has found itself the target of massive data hacking. Last year, 30 million pieces of information were reportedly leaked from 12306.cn and sold on the dark web for 10 Bitcoins (roughly $65,000 at the time). Officials immediately denied claims that the platform was hacked and advised customers not to use unauthorized channels to book their tickets. A similar incident took place in December 2014, when thieves leaked 130,000 railway passengers’ personal information from the 12306.cn site.

The 25-year-old tech worker, M, said, “To be honest, I’m halfway from giving up. Working in the [tech] industry, you’d know very well it’s quite difficult to protect your personal information from being put online.”

Additional reporting by Nicole Jao.