YTO Express Group [600233:CH], admitted in a statement that its five employees leased their internal accounts to criminal groups for profit, leaking some 400,000 pieces of users’ personal information, as reported by Beijing News on November 16, 2020. According to police based in Hebei province, three suspects in the criminal groups were arrested in September this year, but the rest remain on the run. YTO Express’ employees had leased their accounts for RMB500 per day for each account. The suspects reportedly logged into the system to steal user data and then sold it to domestic and overseas buyers for RMB1 per piece of information. The leaked information included users’ names, ID numbers, phone numbers and addresses. YTO Express apologized to the public on November 17, 2020 and said it would conduct real-time monitoring of internal accounts to discover illegal activities.
This is not the first data breach case for YTO Express. In 2013, the company leaked the information of more than one million customers. In the aftermath, YTO Express stated it had strengthened its internal management to prevent such incidents from happening again. In its 2019 ESG report released on July this year, YTO Express claims to be committed to ensuring security and privacy for its customer data. But in action, it failed to fulfill this commitment. Companies in the same industry including STO Express, Deppon Logistics, Express Mail Service (EMS), and Yunda Express have also been involved in incidents related to selling user data online. Express users’ details are sold online with each piece of user data ranging from RMB0.8 to RMB10. In August 2019, police found that several employees of Deppon Logistics stole more than 500,000 datapoints of users information and provided them to an e-commerce company. In 2018, police found a criminal group installing malware programs on Cainiao Global’s couriers’ package scanners. The logistics platform is under Alibaba Group, and 10 million pieces of user information had been stolen.
China’s Personal Data Protection Law is looking to address consumer data privacy. The draft law was open for public comments between October 21, 2020 to November 19, 2020. Should it receive approval, it will be China’s first comprehensive law on protection of personal data. This will no doubt impact logistics companies and change the way many Chinese companies handle data security and customer privacy.