Authorities in northwestern China have penalized several critical infrastructure operators and state contractors for failing to protect sensitive user data, highlighting Beijing’s intensifying nationwide enforcement of data security regulations. The cybersecurity police in Xinjiang disclosed to local Chinese media multiple enforcement actions targeting utilities, government contractors, and industrial firms that neglected statutory digital defenses.
In one case, a water supply company in the Ili Kazakh Autonomous Prefecture faced administrative penalties after an insider illegally exported more than 10,000 user payment records to real estate brokers. Investigators discovered the utility suffered from deficient internal controls, unencrypted sensitive data, and a systemic lack of routine security training for personnel. The employee involved has been released on bail pending trial while the utility was ordered to overhaul its security architecture.
Third-party vendor vulnerabilities emerged as a primary target for regulators during the enforcement sweep. An employee at an external information technology contractor for a regional government affairs center used a virtual private network connection from home to illicitly access and sell over 10,000 citizen records. Regulators penalized the outsourcing firm for failing to implement basic technical protections or employee training, and subsequently summoned the head of the government affairs center for official regulatory talks.
The enforcement campaign also targeted heavy industries for technical non-compliance and unpatched network vulnerabilities. In the Aksu region, a mining company faced administrative sanctions after repeatedly ignoring police orders to fix high-risk website vulnerabilities that allowed external actors to read sensitive server files. Separately, an energy firm in Changji was penalized for letting its log auditing hardware sit idle and failing to deploy firewalls on its network perimeter. The omission violated China's Cybersecurity Law, which mandates that critical systems retain operation logs for a minimum of six months to ensure traceability during digital breaches.
Regional cybersecurity officials warned that data classification, strict access controls, and regular vulnerability management are non-negotiable legal obligations for all organizations operating information systems. The police emphasized that outsourcing technical maintenance does not absolve primary agencies of their supervision duties, signaling that regulators intend to hold both contractors and operators strictly liable for supply chain vulnerabilities.