Update: On Nov. 25, the Cyberspace Administration of China announced it had ordered YTO Express to “rectify” issues related to the data breach.
One of China’s largest courier companies, YTO Express, on Tuesday confirmed reports that its employees had sold some 400,000 pieces of customers’ personal information to criminals, who commonly use such data to target people for telecom fraud and other scams.
YTO, which is listed on the Shanghai Stock Exchange and backed by e-commerce giant Alibaba, said the suspects were apprehended in September, and the company has been actively cooperating with the investigation.
“According to the investigation, a few employees at franchisee delivery stations are suspected of colluding with outlaws outside the company,” YTO Express wrote on its official Weibo microblog. “They exploited employee accounts and illegal third-party tools to steal order information, thus leaking the data.”
YTO said it had detected abnormalities from two accounts belonging to an unspecified number of franchisee delivery stations in the northern Hebei province in July. The company then deactivated the accounts and reported the situation to local police. YTO Express did not respond to Sixth Tone’s request for comment Tuesday.
In September, local police arrested three people who had sold personal information for more than 1.2 million yuan ($180,000), The Beijing News reported Monday. The suspects offered to “lease” employee accounts for 500 yuan per day. Every customer’s personal data was sold for 1 yuan to buyers across the country and in Southeast Asia, where many scammers who target Chinese people are based.
According to 2019 figures on its website, YTO owns more than 4,000 branch offices and 70,000 franchised delivery stations employing a total of around 400,000 people. With the ever-increasing popularity of online shopping in China, package delivery firms such as YTO have seen their orders soar. In the first three quarters of 2020, the company ranked second in the highly competitive industry with 23.4 billion yuan in revenue.
Concerned with many companies’ subpar records for customer data protection, Chinese authorities in October published a draft law on personal information protection and proposed more stringent punishments for violators.
Gao Fuping, director of the data law research center at Shanghai’s East China University of Political Science and Law, told Sixth Tone that, despite increased attention from authorities, businesses should still take responsibility for safeguarding their customers’ private information.
“Companies should carefully screen their employees and have them sign confidentiality agreements,” Gao said, adding that the suspects will likely receive prison sentences of three to seven years according to China’s criminal law.
Editor: Kevin Schoenmakers.
(Header image: People Visual)