Almost every car owner has received a sales call beginning with: "Hello, I'm a customer service representative from XX Insurance. Your auto insurance for vehicle XXX is about to expire, and we currently have a special promotion..." In recent years, many consumers have noticed that after purchasing insurance, their personal details appear to be "precisely known," leading to a barrage of loan offers, investment pitches, and even scam calls, where the caller can state not only their name and phone number but also the policy purchase date and type.

In today's digital era, the insurance industry, as a data-intensive sector, holds vast amounts of sensitive consumer information. However, an investigation reveals that insurance information leakage has become a major area violating consumer rights, ranging from information being used fraudulently for policy applications, to internal staff illegally selling data, and mobile apps collecting information improperly.

A recent television program focusing on consumer rights exposed a complete black-market chain for buying and selling policyholder personal information. The report indicated that social media platforms host numerous overt sales of policy data. To evade oversight, sellers often use coded language and conduct transactions via private channels like QQ and WeChat.

The data being sold is remarkably cheap. Auto insurance client information can cost as little as 0.2 yuan per record, while more detailed and sensitive life insurance data—including life, health, and annuity policies—can fetch up to 10 yuan per entry. Samples provided by sellers are alarmingly comprehensive. Auto insurance details include the owner's name, ID number, vehicle identification number, and policy expiration date. Life insurance information can specify the policy number, exact product name, premium amount, payment term, and policy start and end dates. Some sellers even offer to provide data filtered by region for purchases exceeding 500 records.

The leaked information involves nearly 100 insurance institutions, covering almost all major insurers and primary life insurance products on the market, such as life insurance, annuities, accident insurance, medical insurance, and critical illness coverage. Specific details like product names, policy dates, effective dates, termination dates, premium amounts, and payment terms are fully exposed.

Analysis of recent public enforcement actions and judicial cases shows that insurance client data leaks typically occur through two primary channels: internal staff misusing system access to illegally export and sell client data, and vulnerabilities in company apps or information systems regarding personal information protection.

A court ruling published online detailed a case where six insurance practitioners purchased over 200,000 records of citizens' personal information—including names, ID numbers, phone numbers, and vehicle details—to expand their auto insurance business. For instance, a former branch manager spent 37,500 yuan to buy more than 30,000 records, while another executive purchased 20,000 records for 24,000 yuan. The information sold illegally originated from within the insurance industry itself; the seller obtained the data from a former colleague, a sales director at an insurer's provincial branch, with the pair conspiring to sell vehicle purchase data for 0.7 to 0.9 yuan per record and splitting the illegal profits.

Beyond internal misconduct, technical vulnerabilities are a significant concern. Insurers' own mobile apps have frequently been cited in regulatory notices for improperly collecting and using personal information, representing another major source of data leaks. Notifications from regulatory bodies have listed numerous insurance apps for issues including failure to clearly state data handling rules, difficulties with account deletion, unauthorized personal data collection, and poor handling of user complaints.

The leakage of policyholder information has severe consequences for consumers, extending far beyond nuisance calls. It often serves as the first step for "claims assistance" fraud and other black-market schemes. As financial products become more common, some consumers, misunderstanding policy terms or facing temporary financial strain, become easy targets for scammers. These criminals, having purchased detailed policy information through underground channels, conduct highly targeted "person-to-person" scams by posing as official客服 or legal staff, tricking consumers into signing bogus agreements and charging high fees. In some cases, they go further, stealing bank card details and passwords for additional fraud, and reselling the illegally obtained policy data, completing a full black-market chain from source to end-buyer.

A recent case publicized by regulators involved individuals illegally purchasing personal information to engage in fraudulent insurance cancellation services. The group bought over 67,000 records of policyholder data—including names, contact details, and policy types—and used this information to solicit clients, earning substantial illegal profits. Regulators emphasize that once consumer data enters black-market channels, it becomes a source for "precision targeting," and illegal acquisition of personal information for such activities should be severely punished.

However, consumers facing precise scams and increasing harassment often encounter difficulties in proving their case when seeking recourse. Legal experts point out that under personal information protection laws, the burden of proof shifts in such instances. Consumers do not need to prove the insurer was at fault; they only need to provide basic evidence, such as demonstrating that personal information was solely provided during the insurance application process, and presenting recordings or screenshots of unsolicited communications that closely match their policy details. If a preliminary link between the damage and the insurer's data handling can be established, the insurer must prove it was not at fault, otherwise it bears liability.

In response to the growing data security crisis, national and financial regulators have not been idle. In recent years, foundational laws on data security, cybersecurity, and personal information protection have been enacted, supplemented by detailed regulations and guidelines specifically for the financial sector, creating a stringent institutional framework to combat data-related crimes. For example, recently implemented rules require insurers to adhere to principles of explicit notification and consent when processing personal data, collect only the minimum necessary information, and obtain consent for any data sharing. Various laws stipulate significant penalties for violations, including multi-million-yuan fines and criminal liability.

Despite these measures, experts note that while existing legal penalties are theoretically sufficient to deter misconduct, practical challenges remain, including infrequent enforcement, difficulties in implementation, and obstacles for consumers claiming compensation. There is an urgent need for regularized supervisory enforcement, increased penalties for violations, and improved public interest litigation mechanisms to ensure laws are effectively applied.

For the insurance industry's data governance, recommendations include issuing detailed data security management rules specifying data classification, transfer, and destruction standards; conducting regular security checks; establishing industry "white lists" for legitimate information sharing to combat illegal trading; promoting data security certifications; and adopting technologies like blockchain to enable data usability without visibility, preventing leaks at the source.