‘Inside Jobs’ Top Threat to Data Safety for China’s Online Merchants

(Beijing) — Alibaba Group Holding Ltd. has found that internal theft is now the top cause of customer-data leakage in China — the world’s largest e-commerce market — the company said in a report Thursday.

China’s two largest e-commerce firms, Alibaba and JD.com Inc., both experienced customer-data theft last year. Other Chinese companies, including technology giants Baidu Inc. and Tencent Holdings Ltd., have reported similar cases in recent years.

Nearly half of the incidents in China’s e-commerce industry were caused by internal theft — meaning by an employee of the company experiencing the breach — according to Alibaba’s report, published at the 2017 Internet Security Summit.

About 36% of the incidents occurred with online sellers, while 35% were at delivery companies.

Personnel, such as undercover leakers, are the greatest challenge to data safety, said the Security Alliance of E-Commerce Ecosystem (SAEE), an information-security platform established by Alibaba in 2016.

A typical scenario involves an organized group sending a member to get a job at an online merchant, often in a bustling city such as Guangzhou. After the operative gets access to the shop’s customer database, he downloads the data and vanishes from the company. Others in the group then begin to telephone buyers for fraudulent purposes.

Another method involves swindlers convincing the sellers themselves to click on links that lead to computer viruses capable of stealing user login credentials and financial data.

Leaks also occur at delivery firms. Employees of logistics providers may take photos of shipping slips, which contain buyer names, addresses, telephone numbers and other personal information.

Finally, some senior employees have even become undercover agents, forming long-term cooperation with data thieves and voluntarily leaking information in exchange for compensation. This long-term approach works in part because the market for buying and selling merchant and customer data is relatively mature.

China’s fraud market — called the “underground black industry” in Chinese — was valued at 100 billion yuan ($14.8 billion) in 2016, with more than 1.5 million people engaged in illicit activities, according to government figures.

To counter this, Alibaba launched a platform last month that enables e-commerce companies to keep and share records of employees’ unlawful behavior.

Most online scam victims are located in economically developed cities such as Beijing and Shanghai and in provinces where e-commerce is highly advanced, such as in Guangdong, Zhejiang, and Jiangsu. Most offenders come from one of the two coastal provinces of Fujian and Guangdong, the report added.

China reported 20,623 cases of online fraud in 2016, with a total loss of 195 million yuan, according to Liewang, a fraud-reporting website. Victims were cheated of 9,471 yuan each on average, almost 90% higher than that in 2015.

The version updates an earlier story to remove a reference to a research firm’s disputed report.

Contact reporter Song Shiqing (shiqingsong@caixin.com)