Alipay's new gift envelope service will counter WeChat block. (Photo : global.alipay.com)
Alipay, one of the largest online payment service providers in China and a sub-company of leading Chinese e-commerce titan, the Alibaba Group, revealed on Sunday that a security breach to its servers resulted in the theft of customers' personal data.
Alipay apologized for the incident and said that it had informed all relevant authorities and "would update the public on the results of the investigation." The leaked data was transactional information from before 2010 and did not include any sensitive information such as customer usernames or passwords. Alipay keeps sensitive data in a separate server with more sophisticated protection system.
According to earlier news reports, the breach was caused by a former Alipay employee who hacked into the server and downloaded 20 gigabytes of customer data which he turned over to an accomplice. The accomplice then sold the information to unknown buyers who are suspected of being e-commerce firms who could use the information for a targeted ad campaign to individual customers on the list. The stolen data included information about customer names, cell phone numbers, e-mail addresses and records of purchases. The hacker and his accomplice are now in police custody.
The leak has raised concern about the security of online transactions in China which, in recent years, has seen a spike in the number of people that shop online. Alipay is used by nearly 200 banks and 400,000 e-commerce vendors for its third party online payment services.
Interestingly, the hacker who caused the breach may not be charged under the criminal law. According to legal experts, for that to happen, Alipay must be considered a financial institution. However, if Alipay is indeed found to be a financial institution, it may face fines and penalties for failing to have the necessary security protection plan and policies required to keep customer data safe from unauthorized access.
