China: Shanghai Cyberspace Administration published typical data protection enforcement cases including cybersecurity enforcement

On 16 January 2026, the Shanghai Municipal Cyberspace Administration published a batch of typical data protection enforcement cases, including several cases on cybersecurity. The first firm, a logistics and transportation network technology company, inadvertently exposed a database containing sensitive personal information via an open port. Further investigation revealed that the information lacked access control and encryption, and that the company had not conducted a security assessment. The Administration issued a warning, a fine, and ordered the matter be resolved within a specified period. The second, an Internet of Things technology company, exposed server logs containing personal data and used weak passwords. The Administration issued a warning and ordered the matter be resolved within a specified period. The third, an archival management services centre, failed to implement security strategies and to maintain network activity logs. The Administration issued a warning and ordered the matter be resolved within a specified period.