Apr 15, 2020 04:33 AM

Offer to Sell 1 Million Financial Customer Records Stokes Data Breach Fears

An online post openly offering to sell more than 1 million pieces of customer information allegedly belonging to several Chinese financial institutions fueled fears of potentially massive leaks of private data. But at least one bank involved said the records were not authentic.

The post, originally published on the overseas hacker site Raidforums, offered to sell customer information from several Chinese banks and insurance companies, including Bank of Shanghai, the Industrial Bank, Shanghai Pudong Development Bank, China Merchants Bank and Ping An Insurance.

Information for sale includes customers’ names, phone numbers, identification numbers and home addresses. The online thread, published under the pseudonym “togoodforthisshit,” listed a number of personal records as examples.

An Industrial Bank spokesperson told Caixin that information in the post did not match the bank’s customer records. The person said the information could be forged, and the bank reserves the right to resort to legal measures.

Other institutions involved declined to comment. Caixin learned that the institutions have reported the news to regulatory bodies for investigation.

Caixin contacted a person listed in the post as an Industrial Bank credit card holder. The person said the private information was correct, but he was not the bank’s credit card client.

A person from another bank told Caixin that the bank obtained part of the data being offered for sale through a third party for verification and found that most of the information didn’t match its records. Related government authorities launched an investigation, the source said on condition of anonymity.

An executive at a financial risk control company said Chinese financial institutions are exposed to rising information security risks from external attacks by hackers and internal leaks.

In late 2017, the central bank penalized 47 financial institutions in central China’s Henan province, levying fines totaling 7.16 million yuan ($1 million), for data falsification and information leaks.

The China Banking and Insurance Regulatory Commission in 2018 issued guidelines to toughen requirements for financial institutions’ management of customer data and privacy protection.

Under Chinese law, banking employees who leak customer data could face a criminal charge of infringing citizens' personal information and be subject to as many as seven years in prison.

Contact reporter Han Wei ( and editor Bob Simison (

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code