Twenty-two people were arrested in China's southern Zhejiang province.
Twenty-two people were arrested in China's southern Zhejiang province.

Authorities in China have unmasked a massive underground market where Apple contractors were selling user data of Apple's Chinese customers, according to a report in the Hong Kong Free Press.

Twenty-two people were rounded up in China's southern Zhejiang province, 20 of them employees of a local direct sales and outsourcing company.

The gang allegedly siphoned out the customer data – including user names, phone numbers and Apple IDs – from an internal company computer network, which they then sold, charging between $1.50 and $26.50 for elements of the illegally obtained assets. They reportedly earned around $7.4 million in the ploy.

A four-month investigation by police across four provinces resulted in the arrests.

"The compromised data from Apple appears to have been the result of an 'inside job' that was carried out by sub-contractors at third party facilities that were retained by Apple," Alex Heid, white hat hacker and chief research officer of SecurityScorecard, told SC Media on Friday. "This incident underscores the insider risk that is present in any enterprise that handles sensitive data, especially when that data is shared with multiple third parties."

Even when there are technical solutions in place to ensure that unauthorized entities are unable to hack into resources, it is much more difficult to ensure protections when the violation occurs at the human level through the exploitation of trust, which is essentially a social engineering attack, Heid told SC. "It is important that companies are familiar with all aspects of risk when choosing a third-party supplier, and measurements of risk that go beyond network security and into the realm of social engineering can be good indicators of an organization's overall information security posture."

George Avetisov, CEO of HYPR, told SC Media that this incident is a perfect example of what happens when companies stockpile user data in bulk. "Even a tech giant like Apple – which is known for user privacy – can and will lose control over sensitive data. This is a stark reminder that no amount of security or marketing can prevent the inevitable theft of private customer data. So long as user data is centralized, malicious third parties will find a way to get to it."

The incident both reaffirms the value and vulnerability of personal data, added Dimitri Sirota, CEO and co-founder of BigID. "Part of the challenge facing companies is that they tend to lack good accounting for what data they have and who has access to the data. However, new privacy regulations like EU GDPR and China's Cyber Law both mandate new requirements to map user data in the organizations to better safeguard its security and privacy.”