Thiên Lương & Tịch Dạ wrote this article in Vietnamese and published it in Luật Khoa Magazine on Sept. 16, 2025. Đàm Vĩnh Hằng translated it into English for The Vietnamese Magazine.
Sept. 15 marked the deadline for Việt Nam’s citizens to claim their “Independence Day gift,” a high-profile and unprecedented national “tax rebate” campaign. Beyond the logistics of the distribution, however, the campaign’s motives warrant scrutiny, particularly in light of a recent, catastrophic data breach at the National Credit Information Center (CIC). The leak of over 160 million financial and credit records—roughly equivalent to Việt Nam’s entire population data—has made the public deeply wary of data security.
This is especially relevant as the gift campaign was facilitated through the VNeID app, a cornerstone of the state’s project to collect, store, and digitize citizen data. The situation raises critical questions: Is this a push toward mass surveillance? Is Việt Nam adopting a model from China? And what doubts does the CIC breach raise regarding the country’s capacity to ensure data safety?
“Independence Day Gift” or Bait for Financial Data?
The link between the holiday gift campaign and the government’s plan to harvest financial data is not mere speculation. It has been openly confirmed by the Ministry of Public Security.
In official instructions, the ministry stated that the purpose of the Sept. 2 distribution was to build the data infrastructure for Project 06 (Đề án 06)—a government data-collection project it oversees. This aligns with a goal reported in an article in the Báo Chính phủ on August 29: to ensure 100% of citizens have a social security account on VNeID by 2025.
The groundwork for this was laid months before the “gift” was announced. Following an order from Prime Minister Phạm Minh Chính to review all bank accounts and mobile SIM cards, the ministry worked with the State Bank of Việt Nam (NHNN) to “cleanse” financial data.
This massive operation involved cross-checking over 122 million records with the biometric citizen data already stored in VNeID. By July 2025, more than 117 million bank records had been verified. Today, biometric verification via VNeID is mandatory for most banking transactions.
After the banking sector reported on Aug. 14 that it had “100% cleansed” all financial data, the holiday gift campaign served as the next, crucial step. It acted as a pilot social welfare system that neatly synchronized nationwide financial data with the resident database already integrated within the VNeID app.
Borrowing from China’s Playbook
The digitization of Việt Nam’s financial data was not a sudden decision. Rather, it was a long-term strategy. The first steps were taken between 2014-2015, when Việt Nam introduced a national credit scoring system managed by the CIC. At the time, the government called it an innovation—something citizens would need to gradually adapt. However, the rollout coincided with China’s launch of its Social Credit System (SCS), a powerful tool for social control through data.
The project accelerated dramatically in recent years. On March 28, 2022, the government approved a national population database to track citizens’ assets and income. By April 2023, the MPS was collaborating with the State Bank (NHNN) on Project 06 to integrate this database with banking records. The very next day, on April 25, 2023, Thanh Niên newspaper reported that the ministry was already uploading 42.3 million “cleaned” citizen records to the CIC to pilot the new credit scoring system.
In April 2025, the government issued Decree 94/2025/NĐ-CP, creating a “Pilot Mechanism” effective July 1, 2025. This decree authorized banks to use artificial intelligence (AI) to score creditworthiness based on a vast range of data, including income history, education level, travel records, and telecommunications activity. Crucially, all this scoring data had to be shared directly with the MPS via VNeID—a feature that mirrors China’s earlier state-surveillance model.
The goal appears to be emulating China’s data-driven efficiency. As Associate Professor Đặng Ngọc Đức—Dean of Finance and Banking at Đại Nam University—told VnEconomy, “China only needs 2 minutes and 16 seconds to approve a loan thanks to databases tracking citizens’ consumption and lifestyle.”
The new scoring system was launched for testing on July 1, 2025—barely a month before the Independence Day gift campaign, which offered citizens 100,000 đồng each.
Further cementing this connection, Việt Nam’s Ministry of Information and Communications recently signed a cooperation agreement with China’s National Data Bureau, part of 32 pledges made by the late General Secretary Nguyễn Phú Trọng in December 2023.
A Warning and a Challenge to Public Trust in Data Surveillance
Amid the optimism of the data-driven governance project, an unexpected incident struck. On Sept. 8, it was revealed that more than 160 million financial and credit records at the CIC had been leaked—a dataset that cybersecurity firms Resecurity and Cybernews assessed as covering virtually all citizens and businesses in Việt Nam. The hacker group ShinyHunters claimed responsibility, offering the data for sale on the dark web for $175,000.
The official response was a mix of confirmation and downplaying. On Sept. 11, the Việt Nam Cyber Emergency Response Center (VNCERT) confirmed the breach.
The State Bank (NHNN), however, assured the public that transactions remained safe and that the CIC did not store sensitive personal information. This assurance was immediately contradicted by experts.
Võ Đỗ Thắng, director of the Athena Cybersecurity Center, warned that the leaked data could be weaponized for extortion, scams, and legal harassment, while police cautioned citizens about rising cases of fraud and identity theft.
The potential damage is immense. According to Resecurity, the vast trove of exposed data may include:
- Personal identifiers
- Credit payment history and risk assessment data
- Partially encrypted credit card details
- Military, government, and tax IDs
- Income reports, debt records, contact details, employment information, and bank data
While authorities have not confirmed the exact scope, Resecurity concluded that the breach was serious enough to ring alarm bells, calling the CIC a “single point of failure” that could endanger the entire nation’s financial information.
JPMorgan also warned investors that the incident would drive up cybersecurity costs for Vietnamese banks and erode trust among partners and customers. The bank added that the breach exposed serious risks to the safety of capital flows into Việt Nam and that the possibility of larger-scale incidents occurring in the future could not be ruled out.
Such warnings should alert all Vietnamese individuals, businesses, and institutions to prepare—not just for financial and commercial risks, but for the profound threat to the safety and privacy of their personal data.
***
In recent years, citizens have faced the increasing risk of being tightly monitored as the state expands data collection across all domains of their lives. Now, as those data warehouses grow vast, a new danger looms: catastrophic personal information leaks due to weak security, with consequences ranging from identity theft to wrongful prosecution.
This new reality challenges the very foundation of the state’s project. The effectiveness of governing through digital surveillance has always been a matter of debate; now, it is a matter of urgent public concern. Above all, the authorities must bring this issue to the table and reassess the feasibility of their data-driven model with the gravity it demands.