Back in 2011, I posted several reports of massive hacks or insider data theft involving Chinese sites. One of the reports involved Alipay, which is Alibaba’s online payment system. At the time, Alipay would only confirm that IDs had been involved, but said it was only IDs.
Today, I saw this on ECNS.cn:
Alipay, the online payment arm of Chinese e-commerce titan Alibaba, apologized to its users for concerns over stolen data.
The company said on its Weibo account on Saturday that the data was stolen by a former staff surnamed Li, who downloaded more than 20GB of user data in 2010, and then sold the information to e-commerce and data companies with two other accomplices.
However, Alipay denied that the data theft threatened its users’ privacy.
So what do they mean by threatening user privacy? A bit more transparency on their part about what types of data the employee stole and sold would be helpful here.
Update: ChinaDaily.com has those details in their report:
The leaked data revealed only transaction information before 2010. They excluded sensitiveinformation such as usernames or passwords, which were ciphered through a sophisticatedmethod that is not available to anyone,” according to a statement by Alipay on Sunday.
[…]
Earlier media reports said police have held a former employee of Alipay, who told police hedownloaded 20 gigabytes of personal information in 2010 — including users’ names, cellphonenumbers, e-mail addresses, home addresses and purchase records — and his accomplicessold the information to others. Industry insiders said the information was useful for some e-commerce websites who need to locate their potential customers.