22 arrested in theft and sale of iPhone users’ personal data

2 min read

Police in east China’s Cangnan county recently arrested 22 people on suspicion of stealing and selling iPhone users’ personal information online, bringing public attention once again to the country’s rampant personal information leaks (in Chinese).

Among the 22 suspects, 20 are employees at Apple’s local direct-sales and outsourcing companies. These people took advantage of Apple’s internal system platform to illegally access iPhone users’ data including their phone numbers, names and Apple IDs. It is reported that they sold each piece of the information for RMB 10 to RMB 180, with the total amount of money involved in the case topping RMB 50 million.

It remains unknown how many Apple users’ personal data have been stolen, and the case is pending further investigation.

What is the use of stealing iPhone users’ information? In a case cracked last May by Jiangsu police, stolen Apple IDs were found to be used by criminals to top up their online game accounts and ransom blocked phones.

Although an IMEI number is printed on the packaging box of an iPhone, criminals can do nothing unless they get assistance from moles who have access to Apple’s internal platform to acquire users’ Apple ID registration information after inputting the IMEI number. In a similar personal information theft case in Anhui province last year, the mole was a staff member of a customer service company outsourced by Apple.

Police warned that any illegal acquisition, sale or provision of 50 and above pieces of information pertaining to personal whereabouts, communication content, credit and property shall constitute a crime, starting June 1, 2017. And for those who work in financial, telecommunications and medical care sectors, 25 pieces of information leak will be considered a crime if they leak out personal information for personal benefits (in Chinese).

Driven by money, the theft and sale of personal data has become a ‘black industry chain’ in China. In 2016 alone, Chinese police across the nation busted more than 2,000 personal data theft operations, capturing over 5,000 suspects. Of the total, as many as 450 were internal staff working for banks, education institutions, telecommunications, couriers, securities, and e-commerce firms. They use their position to illegally collect customer information and sell the information for profits.

Apart from these moles, information is also stolen by hackers using technical means, or collected under the guise of job recruitment, sending gifts, and links to fake websites, among others.

A report by the Internet Society of China revealed personal information leaks caused an economic loss of RMB 91.5 billion to those victims last year (in Chinese). In the first quarter of this year, the number of calls marked up as crank ones rose by 65.8% from a year earlier, according to Chinese internet security firm Qihoo 360. Crank and fraud calls have been increasingly threatening cellphone users’ security.

Experts say iPhones users currently don’t have to worry about the information theft of their bank cards linked to their Apple IDs because the moles can only obtain data of users’ phone number or mailbox tied to their Apple IDs. But they suggest Apple users set up two-step verification for their Apple IDs to enhance account security protection (in Chinese).

Apple recently released a new policy specifying that beginning on June 15, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple.”