Twenty employees at an Apple distributor in China have been arrested for selling customer data. Using the distributors own computer system the employees gathered a large trove of data including phone numbers, Apple IDs and other data. The data was sold for between 10 yuan and 180 yuan ($1.50 and $26.50) each. In total the data netted the criminals around 50 million yuan (US$7.36 million). That accounts for several million user records.
The theft was also not concentrated in one location. Arrests were made across four different provinces, Guangdong, Jiangsu, Zhejiang, and Fujian, all in the south-east of the country. Chinese police are also reporting that they dismantled the online network of the criminals. This might explain the arrests over such a large area.
Personal data regularly sold across China
It appears that this sale of personal data is commonplace according to the Hong Kong Free Press which broke the story. It says: “The sale of personal information is common in China, which implemented on June 1 a controversial new cybersecurity law aimed at protecting the country’s networks and private user information.”
The HKFP also cites other publications and instances of the selling of data. In one example, that included the selling of data from police and government databases.
What does this mean?
This is a classic insider theft case. There is no evidence that the employees hacked the system. Instead they appear to have used their permitted access to steal and sell customer data. Identifying such employees requires better security systems and more granular controls over data access.
At the moment it appears that the data sold was only that of customers in China. However, the amount of data taken will cause major embarrassment at Apple. It has previously faced claims its services were breached only for it to turn out that the data was stolen from third-party networks. The problem for any vendor is proving that the data did not come from their systems but from those of a third-party.
This should raise significant concerns for CIOs and CISOs. Enterprises are pushing ahead with digital transformation projects which will create closer integration between them and their supply chain. If the security controls are not good enough, it will make it easier for hackers to target smaller suppliers and gain a foothold in enterprise systems. To counter this, IT security teams need to ensure that access rules are not just appropriate but monitored closely.