Biz / Tech

Didi fined US$1.2b for long-running data, security breaches

Ding Yining
The Cyberspace Administration of China says the offences were 'egregious' and 'grave' and a threat to national security.
Ding Yining

The Cyberspace Administration of China has imposed an 8.03 billion yuan (US$1.19 billion) penalty on ride-hailing service Didi for data security breaches, citing the "egregious nature and grave violations" of the offences.

Chairman and CEO Cheng Wei and president Liu Qing were also fined 1 million yuan each.

The investigation found Didi violated China's network security law, data security law and personal information protection law, which gravely affects national security.

Didi's illegal acts started in June 2015 and lasted seven years. It was also found to be deliberately hiding from regulatory scrutiny, among other breaches and violations, said the administration.

It found illegal activities in eight major areas including collecting customers' phone screenshots, excessively accessing users' smartphone clipboards and applications lists, collecting drivers' ID info and education background, analyzing passengers' transport and riding intentions, residential location and out-of-town trip info, and accessing unnecessary telephone information during hitch car-pooling rides.

It also accessed extremely huge amount of personal data with 64.7 billion pieces of info including sensitive data like facial recognition info, precise locations and ID card numbers.

The penalties were based on the nature of the violations, the duration and the harm they caused, the administration said.

Data companies and Internet service providers have been urged to ensure personal data protection as government agencies seek to promote the innovative and healthy development of the sector.

The cyber administration opened the investigation into Didi last year following its initial public offering on the New York Stock Exchange. It also ordered Didi to pull out from smartphone app stores and cease new user registration.

Didi filed its delisting notification with the SEC in May after receiving shareholder approval.

Didi said on Thursday it will strictly follow the penalty decision and the requirements of relevant laws and regulations and conduct a comprehensive and in-depth self-examination.

It will follow the orders and complete the rectification process and will further strengthen network and data security and the protection of personal information.

Special Reports