The troubled micro-lending tycoon Qudian, which has been questioned for its operation ethics domestically upon massive US IPO, is facing a grimmer situation this week after local media Yiben Caijing reveals possible user information by its employees.

The personal information of nearly 1 million students was on sale on black market at a price of RMB 100k. The package was also being sold separately by province with files for each province consisting of tens of thousands of entries. For example, the file for Jiangsu Province includes 51,289 entries. “Data from Beijing, Shanghai and Jiangsu was priced at RMB8,000,” the report citing people familiar with the matter.

These data include a wide range of personal info from generalities like names, addresses, phone numbers to more detailed data such as phone numbers of their parents and friends, loan size, accounts and passwords to CHIS, the state-backed higher-education qualification verification institution in China.

Peddlers claim that Qudian is the source of this package. A former Qudian employee, who speaks under anonymity, confirmed this after comparing the leaked info with the data she owned, the report pointed out. Analysts told Yiben Caijing that the data is more likely to be exported by an insider than from a hacker because it’s saved in a CSV format.

It’s no secret that the personal information leak is rampant in China with details of million of citizens being stolen, shared, and sold online. The source of data leakage varies from government workers to tech companies, and the data usually goes to agencies and private investigation companies for user acquisition.

Earlier this June, 22 Apple distributors were arrested in China for selling user data. Likewise, a former user information leakage forced Chinese e-commerce JD to issue an official announcement to apologize for the subsequent results.

Of course, the recurring personal info leak cases have raised the awareness of relevant authorities. The newly implemented Cybersecurity Law of China prescribes that people who sales a minimum of 50 entries of personal information will be accused and convicted.