Mobile payment service company, Alipay, refutes the claims made by a cybersecurity researcher tagging the company as one of the financial intermediaries that have been selling their customer’s transaction data to third parties with the highest bid.
Yesterday, Dutch tech researcher and cybersecurity reporter, Victor Gevers, tagged the China-based company as one of the mobile payment platforms that “sells its customer (transaction) data to third parties for monitoring and marketing purposes.”
Gevers discovered one of these databases contain data from Alipay’s customers. He said that he was able to find one of these databases in an unsecured MongoDB database and noted that anyone with basic training could find others within 30 minutes of searching.
“Payment providers will always SELL you out,” he exclaimed.
In a Tweet, he alleges that Alipay sold the data to a third party which uses them to calculate a credit score system to see to who they can sell their service more on another platform.
When asked how did he know that the data was from Alipay and not from some other rightful party to the transaction like the merchant or an e-commerce platform, he said that there is only one “entity who can/has access to all” and that’s Alipay. He added that if they exclude governments as the owners of the breached databases, it is easy to determine that it is the payment provider that use third parties “study/convert their own [money] transfer data into ‘research projects’ which gets sold.”
In an email sent to the Z6Mag by Andy Duberstein, a spokesperson from Alipay, the company said that they are not affiliated in any way to the organization that leaked the consumer data. They have confirmed through their internal investigations that no information leaks are coming from their servers.
“We are confident that Alipay’s database is safe. The recent discussions on the Internet regarding the leak of Alipay user’s data have no relation to Alipay or Alipay’s partners,” Duberstein wrote in an email.
The spokesperson assured their users that “the protection of user privacy and data security is at the core of our business and the utmost importance to Alipay.”
A Twitter user with the handle @MoeMoeil refuted Gevers claims that the data leak was the fault of Alipay, citing that there is no proof to that. According to him, it is possible that Alipay users voluntarily gave the leaked data to a third party company like a lending corporation.
In China, the user said, many websites and companies are requiring users to submit their personal information like name, ID, phone, bank card, and even mugshots holding their card. He claimed that he was able to locate the loan credit service provider where the leaked data came from and according to the firm’s documentation, the data was given to them by a “collaboration agency.”
“Now consider this scenario: A user wants to borrow money from a P2P-loan agency. The agency says “I need to check your Alipay transaction history first.” The user gives his Alipay account and password to the agency, and the agency downloads the full history of the user […] Later, this agency, is a “collaboration agency,” sells the downloaded transaction history to the financial credit investigating company,” wrote Moe Moeil as a response to Victor Gever’s tweets.
“In this case, I think Alipay shall be innocent since the user himself surrendered the account access.”
Alipay’s spokesperson offered the same explanation to what might have happened in this incident. He said that after their internal investigation and technical verifications, they found out that Alipay users are submitting their Alipay account names and passwords to a particular online lending platform that is not connected to the company.
“Such information was obtained by crawler companies that work with these online lending platforms. The information obtained by these crawlers was then stolen by hackers,” Duberstein added.
Duberstein emphasized that these crawlers are not Alipay’s partners and clarified that the heir iliates do not sell user data to third parties.
“We want to reiterate that the involved third-party platforms and the crawler companies are not Alipay’s partners. Alipay always strictly enforces its data security and privacy protection policies. We only collect limited and necessary information that will be used to better serve our users with their prior consent,” Duberstein added. /apr