SHANGHAI - The leak of information via the country's largest third-party payment platform has sparked a public outcry over transaction security at a time when the Internet is soaring as a major shopping avenue.
"The leaked data revealed only transaction information before 2010. They excluded sensitive information such as usernames or passwords, which were ciphered through a sophisticated method that is not available to anyone," according to a statement by Alipay on Sunday.
Alipay apologised for the leak, saying it has notified Chinese regulators and will keep the public informed about the investigation in a timely manner.
Alipay accounts for 61 per cent of the country's third-party payment market, according to IT consultancy iResearch. Currently, about 200 banks and 400,000 e-commerce vendors or online units of brick-and-mortar stores accept Alipay as an online payment channel, according to company statistics.
Earlier media reports said police have held a former employee of Alipay, who told police he downloaded 20 gigabytes of personal information in 2010 - including users' names, cellphone numbers, e-mail addresses, home addresses and purchase records - and his accomplices sold the information to others. Industry insiders said the information was useful for some e-commerce websites who need to locate their potential customers.
"I'm worried at the thought of a possible leak of my correspondence address, not to mention they might leak my transaction passwords," said Wang Hongji, a 29-year-old insurance firm clerk who normally has more than 10,000 yuan (S$2,000) in his Alipay account.
To engage in online transactions, customers are often required to provide personal information, making customers vulnerable to threats to privacy and information security, said Li Zhi, principal analyst at Beijing-based consultancy Analysis International.
"The situation can even be exacerbated when a transaction involves multiple services where the payment is conducted between a customer and a primary service provider that outsource services to others," she said.
Organisations and individuals may file an accusation of unlawful or criminal acts of stealing personal electronic data and selling such data to others, said Ling Xiao, a law professor at a university in Sichuan province.
"But whether the former Alipay employee will be given criminal sanctions depends on whether Alipay is interpreted as a financial institution, which the Criminal Law requires as a prerequisite to determine his crime," said Ling.
If so, Alipay will have to receive penalties for overlooking such a loophole, he added.
The incident contrasted with a previous effort in June, initiated by Alibaba Group Holding Ltd with other Internet firms, to create a joint resource pool to prevent leaking of personal information and to stamp out other online exploitation. Alipay is the payment unit of Alibaba.
In 2011, a massive data breach was reported on the China Software Developer Network, the country's largest programming network hub.
The incident caused the disclosure of 6 million usernames and passwords, raising widespread concerns about Internet security.