On June 13, 2025, the Beijing Municipal Cyberspace Administration reported two incidents of enterprise data breaches. The companies involved were fined 50000 yuan each for failing to fulfill their data security protection obligations, resulting in the theft of users’ personal information by overseas IP addresses. This punishment, in accordance with Articles 27 and 45 of the Data Security Law of the People’s Republic of China, sends a strong signal that regulatory authorities have “zero tolerance” for illegal and irregular behavior in the field of data security.
Security vulnerabilities lead to data ‘naked running’, overseas theft crosses legal red lines
The report shows that both companies have dual technical and management oversights. The background business system of a science and technology company in Beijing is not configured with access control and identity authentication mechanisms, resulting in the exposure of stored sensitive information such as name, ID number and mobile phone number to the public network; Another company, for the convenience of testing, directly opened the 9200 port of the ES database to the public without restricting access, resulting in data leakage such as names and phone numbers. After stealing data through unauthorized access vulnerabilities, overseas IPs may be used for telecommunications fraud, precision marketing, and even espionage activities, seriously threatening citizens’ privacy and national security.
Top tier punishment highlights law enforcement efforts, and enterprises need to build a solid “three lines of defense”
According to the Data Security Law, if a company fails to fulfill its data security protection obligations, it may be fined between 50000 yuan and 500000 yuan. The two companies were severely punished this time, highlighting the regulatory authorities’ severe punishment for “ignoring safety” behavior. The Beijing Municipal Cyberspace Administration explicitly requires enterprises to:
Technical protection upgrade: deploy access control, IP whitelist, data encryption and other measures to prevent “port naked access”;
Institutional standardization supplement: Establish a full process data security management system, regularly conduct vulnerability scanning and security training;
Emergency response strengthening: Develop emergency plans for data breaches to ensure reporting and traceability within 24 hours of the incident.
The regulation of cross-border data flow is becoming stricter, and enterprises need to be alert to the “compliance trap”
It is worth noting that the data flow to overseas IPs in this incident has exposed the potential risks of cross-border transmission of enterprise data. With the implementation of the “Regulations on Promoting and Regulating Cross border Data Flow”, enterprises need to clarify:
Important data leaving the country must undergo a security assessment, and data outside the negative list can be exempted from declaration;
Enterprises in the pilot free trade zone can simplify the process of exporting negative lists based on data, but they need to register and accept regulatory inspections;
In the event of data tampering or leakage during cross-border transmission, enterprises may face top-level penalties such as revocation of their business license.
Industry Warning: From ‘Passive Response’ to ‘Active Defense’
In recent years, data breaches have occurred frequently. A certain education company in Beijing once caused 120000 customer information leaks due to weak passwords in their test accounts, and the directly responsible person was fined an additional amount; A biotechnology company has been ordered to rectify a 19.1GB citizen genetic data leak due to an unencrypted system. This incident once again sounds the alarm: enterprises need to abandon the “remedial” thinking, integrate data security into the entire business process, and build a “protective closed loop” through technological means and institutional constraints.
The Beijing Municipal Cyberspace Administration stated that the next step will be to carry out special rectification in conjunction with public security, cybersecurity and other departments, focusing on cracking down on illegal data export, unauthorized access and other behaviors. In the context of the deep integration of the digital economy and the real economy, data security has evolved from a “technical issue” to a “legal obligation”. Only by building a “foolproof” defense line can enterprises avoid the painful cost of “losing everything”.
