In 2025, on average, one government server is brought down by a ransomware attack every 28 days. With the rapid evolution of AI technologies, more and more enterprises and governments are accelerating digitalization—this, in turn, has opened a new business model for cyber attackers.
Author Botao Xu
Research Assistant: Leci Zhang
On March 18, the UK-based tech research institute Comparitech released a report revealing that:
From 2018 to 2024, confirmed ransomware attacks on government institutions worldwide reached as many as 1,133 incidents. Each attack caused system shutdowns lasting more than 27.8 days on average, leading to direct economic losses of up to $83,600 per day.
Around the same time, U.S. cybersecurity firm Zscaler disclosed a shocking black-market transaction: a multinational corporation ranked among the Global Fortune 50 paid a record-breaking $75 million ransom to the ransomware group Dark Angels.
This not only set a new global record for ransom payments, but also signaled the beginning of a silent cyberwar triggered by rising digitalization in enterprises. Some companies are now relying on "paying to survive" as a temporary means of safety—reshaping the entire digital security ecosystem in the process.
Behind the soaring frequency of hacker attacks and ransom payments lies a clear exposure of core vulnerabilities in global government systems: the "stress limits" of traditional IT infrastructure have been dragged onto the negotiation table of the dark web economy.
The Real Danger Is Not “Being Attacked,” But Enterprises Ignoring the Existence of Risk
For a long time, attention to data security has always focused on large tech companies — incidents such as Huawei facing a global network blockade or TikTok being accused of “sending data back to China” have gradually shaped a default public perception: only billion-dollar platforms entangled in political sensitivities are the real targets of hackers.
However, in EqualOcean’s research, what surprised the team was that many Chinese enterprises in the process of globalization generally neglected to assess the security status of their own systems when discussing cyber risks.
These enterprises often attach great importance to external data compliance and customer privacy protection, yet treat internal operating systems as mere “back-end business support” — and it is precisely these systems that have become the weakest links and the easiest points of entry for attacks.
“Hackers don’t ‘discriminate’ between large corporations and small or medium-sized enterprises. They simply scan the network, looking for nodes with excessive permissions, inactive security mechanisms, or exposed login portals. Whoever shows up first gets taken down first.”
— Liang Gong, cybersecurity engineer
Especially in today’s environment, where ransomware and data black-market transactions are maturing rapidly, attackers no longer need to target victims one by one. They can infect hundreds or even thousands of enterprises at once, automatically extract and classify data, and then package and sell it in bulk on underground markets. For companies operating under a “minimum setup, maximum permissions” model, even small-scale operations can become profitable samples for attackers.
This means that whether an enterprise is “valuable” is no longer the prerequisite for being attacked. What truly determines its fate is whether it has a clear awareness of its own risk points — whether it has established clear boundaries for system entry points, data usage paths, and permission mechanisms.
Many of the reported cases share common characteristics:
The root cause was not “sophisticated hacking skills” but outdated internal security systems;
Multiple incidents were traced back to unclear permission settings, unencrypted cloud interfaces, and human errors like developer misoperations;
After incidents occurred, companies lacked emergency response mechanisms, responded slowly, vaguely communicated the situation, and failed to contain losses in time.
These lessons demonstrate that security systems are not a luxury exclusive to large enterprises, but the entry threshold for all players in the global market.
As cybersecurity enters an era of “systemic-scale attacks,” the real danger is not whether you’ve been attacked — it’s whether you realize you’re already on a large-scale infiltration map.
Shein: Security Flaws Are Not a Thing of the Past — How Can You Pay the Price for a Mistake Made Four Years Ago?
In 2018, when Shein’s parent company Zoetop first suffered a hacker attack, it was still a relatively low-profile cross-border e-commerce platform primarily focused on the European and American markets.
The attackers stole approximately 39 million user account records, including usernames, encrypted credentials, and even fragments of credit card information.
Although the incident didn’t attract much attention at the time, years later, in 2022, the Office of the New York State Attorney General completed its investigation and determined that Zoetop had misled consumers, delayed reporting, and failed to fix the vulnerabilities. It was ultimately fined $1.9 million.
Shein’s experience proves that data breaches are not a one-time injury, but a long-tail depletion of trust. Even if a company rapidly grows into a global brand, security flaws left in the early days can still explode years later.
Gearbest: The Greatest Risk Was Not Hackers — But Forgetting to Lock the Door Yourself
For many small and medium-sized enterprises, the greatest data risk does not come from hacker attacks, but from their own security negligence.
In 2019, due to a misconfigured and unencrypted database, Shenzhen-based cross-border e-commerce platform Gearbest exposed millions of user records to the public internet for several weeks. The leaked information included:
Real names, phone numbers, and home addresses of users
Passport numbers and bank card information (some in plaintext)
Shopping order contents and payment pathways
Famous ethical hacker Noam Rotem also publicly warned about Gearbest’s potential vulnerabilities.
However, Gearbest responded by claiming that “only about 280,000 users were affected” and blamed the issue on a “third-party tool that accidentally disabled the firewall,” but did not specify how long the vulnerability persisted or disclose the details of subsequent fixes.
Compared to a hacker intrusion, this incident resembled a disaster in which “the company voluntarily handed over the keys.”
This incident fundamentally shatters a common myth: that the biggest data risk for SMEs is being attacked. No — it’s the overlooked vulnerabilities that pose the greatest danger.
NIO, Toyota, Volkswagen: Data Leaks Are Not Isolated Breaches, but Systemic Risks
In 2022, Chinese electric vehicle manufacturer NIO suffered a cyberattack. The attacker claimed to have obtained its complete sales data and user privacy information, demanding $2.25 million in Bitcoin.
NIO refused to pay, and the data was subsequently released on the dark web, involving core data fields such as personal information, vehicle owner orders, and delivery regions.
That same year, Toyota experienced a "non-attack-related" data leak: due to an operational mistake by an outsourced developer, the source code of the T-Connect website was uploaded to GitHub and set to “public” status for nearly five years, exposing account identifiers and registration emails of approximately 300,000 users.
At the end of 2024, a backend error at Cariad, a Volkswagen subsidiary, led to the leakage of real-time operational data for 800,000 electric vehicles—including driver details, location histories, and vehicle control logs—some of which even belonged to German government official vehicles and police patrol cars.
These three incidents span major automotive manufacturers from China, Japan, and Germany, each with entirely different technical systems, business models, and national regulatory frameworks. Yet they all reveal a shared reality: data breaches no longer require hackers with “advanced skills”—all it takes is “one poorly configured partner.”
Whether government or enterprise, large or small, any organization can become a target of cyberattacks. As technology advances, data security and information security will become concerns across all industries.
As a result, from shipping and fashion to new energy vehicles, Chinese companies expanding overseas are facing serious data security challenges. Once a data breach occurs, the accompanying legal, financial, and reputational risks can instantly destroy years of accumulated brand value.
Three Major Data Asset Risks: Fatal Vulnerabilities in the Ransomware Era
Tax and Financial Data: The Lifeblood of an Enterprise
In the context of globalized operations, an enterprise’s ability to gain regulatory approval and customer trust in overseas markets largely hinges on the compliance of its tax systems.
Cross-border invoicing, employee payroll reports, bank transactions, local tax IDs, and even high-frequency trading records—these sensitive “back-end” data points are increasingly viewed as “strategic assets” by hacker organizations.
While AI tools have played a significant role in global tax compliance and automated financial accounting, they also magnify a long-underestimated risk: once the underlying data feeding into AI systems is hijacked, the enterprise’s financial strategies, supply chain layout, and profit structure will be fully exposed to adversaries and the black market.
“Some clients still don’t know in which countries we’re actually paying taxes. But once the main tax server is hijacked, all it takes is a screenshot of the ransom email for our tax system to collapse.”
— Carol, CFO of a Southeast Asian manufacturing company
Shein and OnePlus: Data Leaks, Trust Collapse
In the previously mentioned 2018 incident involving Shein, where payment data of tens of millions of users was leaked, the platform swiftly removed the vulnerable access points and attempted to patch the issue within weeks. However, the matter didn’t end there.
Regulatory bodies intervened, and multiple consumer protection organizations in the U.S. and Europe filed lawsuits, even sparking debates around “transparency of Chinese brands.”
But this was not an isolated case.
OnePlus also experienced a back-end payment system vulnerability that exposed credit card details of over 40,000 users.
In response, the company had to urgently shut down its online payment system and offer one year of free credit monitoring to all affected users.
Moreover, the losses weren’t limited to compensation or service disruptions—the brand’s reputation in the North American market plunged, with search popularity dropping by over 70%.
In December 2023, clothing brand VF Corporation was targeted by the ransomware group AlphV (also known as BlackCat).
The attack affected roughly 35.5 million consumers, leaking names, contact information, and order records.
It severely disrupted inventory replenishment and order fulfillment across several of the company’s brands.
“Lose data once, and the customer may never return.”
— Jerry, CIO of a Southeast Asian manufacturing firm
Crisis Response: More Important Than Data Recovery Is the “First Hour of PR”
EqualOcean’s research indicates that an enterprise’s immediate public communication in the wake of a ransomware or hacking incident often determines whether the crisis can be contained.
Compared to companies that try to “handle it internally” or “wait and see,” those that disclose the incident to the public right away, inform partners, and update regulators tend to regain higher market trust after the incident subsides.
After the Shein incident, the brand was initially questioned in the European market as a “non-compliant data handler,” but within 24 hours, it issued three public statements, voluntarily accepted audits and reforms, and cooperated with multiple regulatory investigations.
While Shein was eventually fined, it effectively stemmed the public backlash—some media even cited its handling as a “model case for data breach response.”
What truly collapses a brand is not being hacked, but the attempt to cover up the truth after the fact.
“In this era, security flaws are inevitable, but lack of transparency is unforgivable.”
— EqualOcean analysis summary
Internal Operational Data: Core Competitiveness That May “Run Naked” on the Dark Web
Before the widespread deployment of AI, “data leaks” mostly meant the compromise of customer privacy or payment information.
But as AI becomes embedded throughout business operations, the real moat of enterprises—internal operational data—has become an even more valuable target for attackers.
Modern enterprises are now “data-driven by default.”
From product prototyping, R&D schedules, and supply chain routes to executive emails, employee performance systems, and strategic roadmaps—these internally generated, non-public data form the basis of a company’s market forecasting and decision-making for years to come.
Once these systems fall victim to ransomware attacks, it not only causes immediate paralysis but may also lead to the irreversible loss of long-term judgment capacity and technological assets.
COSCO, Maersk, NIO: No Company Is Truly Immune
In July 2018, the U.S. branch of Chinese shipping giant COSCO was hit by a cyberattack that shut down all email and phone communications.
While its official website posted a notice of a “temporary technical glitch,” subsequent disclosures confirmed it was a coordinated ransomware attack. COSCO was forced to shut down network nodes across several U.S. locations, delaying some cargo operations at Long Beach Port by over 48 hours.
A year earlier, Maersk had already become a high-profile victim.
In June 2017, it was infected by the NotPetya virus, paralyzing roughly half of its global business systems across 250 port operation nodes. Over 4,000 systems had to be reinstalled, with direct economic losses exceeding $300 million.
Such attacks are not confined to traditional industries like shipping—new energy companies are also vulnerable.
At the end of 2022, NIO experienced a data breach in which attackers stole vehicle sales, order, and delivery information, followed by a ransom demand.
An insider close to the incident revealed: once such data falls into the hands of a competitor, it not only reveals real market share but may also leak the full chain of “front-end sales strategy + back-end supply deployment.”
More seriously, in AI-driven operational systems, data attacks are no longer limited to “theft” but can also mean “tampering.”
By subtly altering logistics routes, production formulas, or scheduling priorities, attackers can cause the system to make wrong decisions without warning, leading to cascading cost waste.
“Once internal data becomes inaccurate, a company’s decisions go off track. And by the time senior executives realize the consequences, it may already be three months later—when the quarterly financial report is released.”
— Michel, CTO of an AI manufacturing platform
Internal Security Governance Should Be the “Top Security Budget Item” for Globalizing Enterprises
Compared with traditional information security perimeters, what enterprises truly need to build is a tri-layered security governance system that covers “data source – transmission path – endpoint access.”
According to EqualOcean’s research, some digital-first Chinese companies expanding overseas have already elevated “internal data security” from a technical department concern to a cross-departmental strategic priority, establishing a three-level protection model of data classification + dynamic access management + local compliance mapping:
Every highly sensitive document (e.g., strategic PPTs, R&D logs, payroll sheets) is automatically encrypted and access-tracked;
Employees in overseas branches can only access data at authorized levels within permitted environments, with access immediately revoked upon anomalies;
Data storage, access, and transfer risks are assessed in parallel with local privacy laws (such as GDPR, CCPA) to avoid regulatory penalties after the fact.
External Supply Chain Information: The “Invisible Bomb” of the Data Age Often Lies in the Weakest Link
In global market operations, Chinese enterprises going overseas rely more than ever on external collaboration networks—raw material suppliers, multinational logistics providers, channel distributors, local tech service firms—almost every touchpoint involves data exchange.
While AI and digital systems have greatly enhanced global collaboration efficiency, they also open a dangerous new dimension: the longer the chain, the larger the attack surface. Risks no longer come from the “front door,” but from the “side door.”
Research shows that up to 92% of enterprises have experienced data security incidents originating from third-party service providers or supply chain nodes within the past five years.
In other words, most brands were not defeated by elite hackers in direct confrontation, but by a small outsourced vendor with no backend restrictions, causing the entire security system to collapse.
Gearbest, E-Delivery Contracts, and the Compliance Red Line
The Gearbest data leak incident is a typical case. The root cause was not an advanced hacking attack, but misconfigured cloud database settings that exposed large volumes of user data, order records, and logistics information through public interfaces.
Although the issue originated from a technical service provider’s permission settings, it was the platform itself that ultimately bore the full cost in terms of brand trust and compliance risk.
This kind of “data supply chain breakdown” is especially dangerous for Chinese firms.
Imagine a Chinese tech executive who sends overseas distributors a shipment plan, quarterly production volume, pricing strategy, and restocking schedule. If intercepted, this data is almost equivalent to handing competitors a full “internal business timetable.”
More critically, under increasingly stringent global regulatory regimes such as GDPR, CCPA, Australia’s Privacy Act, and Japan’s APPI, once a company is determined to be involved in “customer or partner data leakage,” it is required to:
Notify regulators immediately;
Launch an internal investigation;
Publicly disclose response measures;
Failure to do so may result in hefty fines and long-term reputational damage.
This is not just a technical problem—it is a strategic-level global trust crisis.
EqualOcean’s Recommendations for Globalizing Enterprises
Avoid single-platform data aggregation; adopt a diversified AI services portfolio to ensure redundancy in data pipelines.
For all cross-border data, enforce off-site encrypted backups and regular disaster recovery drills.
Introduce an independent third-party security audit mechanism and conduct at least one full-chain compliance scan annually.
Require all supply chain partners to sign data security responsibility clauses, embedding compliance obligations at the chain’s origin.
In the data age, the true system risk no longer comes from “enemies,” but from the “friends of your friends.”
The more complex the supply chain, the more precise the control chain must be. Otherwise, the weakest link in your partner network may be the “first button” that collapses your entire enterprise.
Conclusion
In the Digital Battlefield, There Are No Bystanders—Every Globalizing Enterprise Is on the Front Line
In the past, cybersecurity and data security were seen as matters for the IT department, for large corporations, for “other people’s problems.”
But today, from small overseas e-commerce platforms to global automakers, from tech unicorns to traditional shipping giants, a string of cases has reshaped our understanding:
Every enterprise, every system, every byte of data could be a potential target for hackers and the dark web.
Enterprises can no longer use excuses like “small data volume” or “few customer records” to dodge risk. Traditional IT architectures are also gradually losing their natural defensive strength.
The era of rampant ransomware is, at its core, a test of enterprises’ data governance capability—not just the robustness of their defense systems, but their responsiveness to uncertainty, organizational resilience, and management maturity.
From strategic leadership to front-line operations, from data collection to data use, from local storage to global transmission—every seemingly trivial interface, every unencrypted file—may become the trigger for total systemic collapse.
We must acknowledge: in the wave of digital globalization, cybersecurity is no longer a “should we” question—but a “are we ready” imperative.
The future will belong to those enterprises that treat security as the foundation of development, not the price of it.