A new report out of China details the arrest of some 20 employees working as Apple distributors who illegally sold customer data as part of a $7 million operation. The arrested employees reportedly worked in “direct marketing and outsourcing” roles for the company in the Zhejiang province.
While details are still light at this point aside from a police statement on the arrests, the report appears to describe an operation in which distributors with access to customer contact information were able to sell this information to the black market for profit.
Exactly what information was accessed or how long the operation went on is unclear, although the report does not appear to suggest any security breach occurred but rather employees taking advantage of information generally available as part of the job.
Of the 22 suspects, 20 were Apple employees who allegedly used the company’s internal computer system to gather users’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan (US$7.36 million).
Apple employees having access to customer contact information like customer names, email addresses, and phone numbers is not uncommon for a variety of roles including support positions, and nothing suggests more personal data beyond contact information was collected and distributed.
The report also says that police say they have broken up the illegal operation following the arrests:
Following months of investigation, the statement said, police across more than four provinces — Guangdong, Jiangsu, Zhejiang, and Fujian — apprehended the suspects over the weekend, seizing their “criminal tools” and dismantling their online network.
The most challenging problem here seems to be balancing what necessary access employees have to customer data like contact information and how it can be used. In this specific case, the scale at which the operation reached is perhaps most surprising.
The suspects, who worked in direct marketing and outsourcing for Apple in China, allegedly charged between 10 yuan (US$1.50) and 180 yuan (US$26.50) for pieces of the illegally extracted data.
We’ll update if any new details are learned in this incident.