Vietnam’s administrative penalties for cybersecurity violations remain significantly low compared to international standards and lack sufficient deterrent power.
Currently, the highest administrative penalty for a cybersecurity violation stands at VND200 million ($7,600) (applicable to an organization that violates cybersecurity) or VND100 million ($3,800) (applicable to an individual violator)
Consequently, according to Lieutenant Colonel Nguyen Dinh Do Thi, Deputy Head of the Network Information Security Division under the Department of Cybersecurity and High-Tech Crime Prevention at the Ministry of Public Security, it is necessary to study and supplement regulations to align sanctions with international practices, while consulting foreign regulations to perfect the penalty system in a strict and comprehensive manner.
Speaking at a seminar titled "Cybersecurity Law 2025: A Step Forward in Data Security Protection," held on November 24, Mr. Thi said "Through our professional operations, we have discovered that on forums and in closed groups, data of Vietnamese citizens is openly advertised for sale in packages. Some files contain up to tens of millions of records, covering a full range of professions and sectors. The subjects even classify the data in great detail, including phone numbers, full names, bank accounts, and even the income levels of specific groups."
He noted that criminals are no longer collecting data solely by hand; many are utilizing specialized software to steal data on a large scale.
According to Mr. Thi, there are three main issues contributing to this situation:
First, public awareness and consciousness regarding personal data protection remain low. Many people are willing to trade their privacy for convenience when using services or lack the habit of protecting themselves in the digital environment.
Second, many agencies, organizations, and enterprises have not deployed security measures commensurate with their data collection, processing, storage, and sharing activities. This inadvertently creates security voids for criminals to exploit.
Third, data management and control at certain units remain lax, creating loopholes for unauthorized information appropriation.
Additionally, Lieutenant Colonel Thi revealed that authorities have detected a number of domestic and foreign technology companies silently and illegally collecting data on Vietnamese users using automated tools. Many websites have pre-installed malware or data-mining software without the users' knowledge.
Furthermore, the legal framework regarding personal data protection is still being finalized. Following the upgrade of Decree 13 into the Law on Data Protection 2025, documents guiding its implementation are currently being drafted.
Vietnam currently ranks among the countries facing the highest number of cyberattacks in the region. In 2024 alone, over 600,000 attacks targeting domestic information systems were recorded, including tens of thousands of direct attacks against state agencies.
Google translate