Five employees at a major Chinese package delivery company leased their internal employee accounts to criminal groups, compromising more than 400,000 users’ personal information.
Police in Handan, Hebei province, arrested three suspects in the criminal groups involved in the data leakage at YTO Express Group Co. The company apologized Tuesday for the leakage and said it will conduct real-time monitoring of internal accounts and actively discover illegal activities. Consequences for the five employees weren’t disclosed.
YTO said its risk control system detected two employee accounts used to check package information that were not related to the employee site, raising red flags at the company’s Shanghai headquarters. Authorities found that five YTO employees leased their accounts for 500 yuan ($76) a day to criminal groups, which then sold YTO users’ information, including names, identification card numbers, phone numbers and addresses, to domestic and overseas telemarketing fraud groups.
This was not the first data breach case involving employees at package delivery companies. In September 2019, police found that six delivery workers at Deppon Logistics Co. Ltd. stole user data and provided it to an e-commerce company. In 2018, police found that two agents at Cainiao Global, the parcel tracking platform of Alibaba Group, installed malware programs on package scanners to steal user information.
Preventing such leaks at package delivery companies requires systematic business transformation, which is difficult for most companies due to capital and technology limits, said a former delivery company employee who was in charge of data security. Many delivery companies have internal security systems, but they are far from effective in practice because many employees have access to user data, the person said.
Contact reporter Denise Jia (firstname.lastname@example.org) and editor Bob Simison (email@example.com).
Support quality journalism in China. Subscribe to Caixin Global starting at $0.99.