Former Zhaopin employees allegedly leaked 160,000 resumes to sell online

2 min read

One of China’s largest online recruitment platforms Zhaopin leaked 160,000 resumes in an alleged theft by two former employees, the company said in a statement on microblogging platform Weibo earlier this week.

Why it matters: Despite government attempts to prevent data breaches, the illicit sale of personal data remains a persistent problem. The data also comes cheap. The leaked resumes were available online for as little as RMB 5 (around $0.70) each.

  • Resumes can make an attractive target for personal data peddlers since they often contain sensitive personal information including addresses, phone numbers, birthdates, education history, and work experience.
  • Zhaopin discovered the leak in June 2018, and the former employees appeared in a Beijing court for the second time earlier this month.
  • The resumes were allegedly sold on Alibaba’s online marketplace Taobao.

“User data is the lifeline of Zhaopin’s development. [The company] will not tolerate illegal activities including information fraud and violations of personal data.”

—Zhaopin statement

Details: The two employees, surnamed Lu and Wang, allegedly helped a third suspect get a corporate account for the platform in order for them to obtain the resumes.

  • The third suspect, surnamed Zheng, then went on to sell the data through online channels, according to Zhaopin.
  • Zheng allegedly faked a business license and provided it to the two ex-employees.
  • Zhaopin reported the leak to the police and Lu and Wang were arrested in August 2018.
  • The company said it had discovered the leak during a routine check, identifying that it had suffered from a data breach.
  • The prices of resumes varied depending on an individuals’ location. Resumes for urban residents fetched a higher price than those in rural areas.

Context: Personal data leaks are a common occurrence in China and Zhaopin’s compromised resumes form a tiny portion of the huge market for stolen data.

  • In January, data thieves stole the personal data from nearly 5 million people that had used online train ticket booking services. The information, which included names, phone numbers, ID numbers, and passwords, was later sold on the dark web.
  • During the same month, 200 million job seekers had their resumes leaked, according to European bug bounty platform HackenProof. The breach included more than 800 GB of data from Chinese job portals, including 58.com.
  • As regulators clamp down further on data thieves, their networks become ever more complex, featuring multiple layers and systems that prevent one person from knowing more than one other in their ring. Police have found that some networks are also expanding to Southeast Asia in order to evade law enforcement.