Following the discovery of the database that contained millions of user transaction data from Alipay, the cybersecurity expert who exposed the vulnerable database confirmed, Alipay themselves did not leak the data.
This statement confirms his earlier theory that a third party, possibly a small scale loan company, have sold data they gathered from customers who submitted their Alipay login credentials for review to another data aggregator.
In a recent tweet, Victor Gevers said that the server where the database came from does not belong to Alipay because the China-based mobile money processing company uses OceanBase to store their data. He also noted that Alipay’s data structure is completely different from that of the discovered database confirming that the data was not shared or leaked by the financial company.
Read more: CYBERSECURITY RESEARCHER SAYS MOBILE PAYMENT PLATFORMS ARE SELLING YOUR DATA TO THIRD-PARTIES
A few days ago, Gevers accused Alipay of selling their users’ financial transaction data to third-party companies for “marketing and advertising purposes.” He said that many of these third parties cannot handle sensitive information and store them in unsecured databases.
He also accused that payment providers “will always SELL you out.”
The database was eventually locked down within an hour after Gevers shared his discovery.
Alipay pushed back and shut down the allegations made by Gevers in an email they sent to Z6mag.
According to Andy Duberstein, a spokesperson from the company, “the protection of user privacy and data security is at the core of our business and the utmost importance to Alipay.”
He assured their users that the company and its affiliates do not sell user data to third parties.
Conversely, the Duberstein offered an explanation for how data of Alipay users ended up in the database that Gevers discovered. He said that after their thorough investigation, they understand that some Alipay customers submitted their Alipay account names and passwords to a certain online lending platform. Such information was obtained by crawler companies that work with these online lending companies and was then stolen by hackers.
This theory provided by Alipay coincided with the initial theory offered by Gevers and another Twitter user who called out the lack of proof of Gever’s claims that the company sells data to the third party.
“Alipay always strictly enforces its data security and privacy protection policies. We only collect limited and necessary information that will be used to better serve our users with their prior consent,” Alipay Spokesperson Andy Duberstein added.
DATA WAS TOO BIG FOR A THIRD PARTY TO GENERATE ON ITS OWN
Meanwhile, Gevers raised concerns over the amount of data that was exposed. He said that the dataset was so humongous considering the time frame. For the last three months, the database contains 1.2 billion records. He questions how many lending platforms can generate such an amount of data in just three months. He noted that even Paypal, one of the biggest online money processing company, does not even come close to that number.
“The data was not anonymized. The datasets are way too big for a third party. Someone handed the data over to a third party – voluntarily, or they were hacked. We have seen third parties handling transaction data from financial institutions poorly before. That is why [I] shared all the information immediately after the database was secured,” Gevers told Z6Mag in a private chat.
DATA IS GOLD
The discovery of the said database has raised concerns of China’s Fintech industry, according to Gevers. He noted that most financial data leaks happen because sources trust third parties with their data. Most of the time in Fintech, experts see third parties doing machine learning and analytics to generate insight.
And these insights have a “pretty good value” according to Gevers.
“Knowing what the Chinese people are spending their money on based on one of the biggest financial institutions has a very high market value in and outside China,” he said.
That is why he could not blame Alipay if in case they indeed sold the data (which in this case, they did not). While he believes that the dataset did not directly come from Alipay, he said that the dataset as big as what he uncovered is a sign that it was exchanged with consent.
“That is why I made the statement that financial institutions will sell us out. Data is the new gold. And these financial institutions are not charities. They want to make money, and they have a lot of data. It’s like telling a kid not to take a cookie from the huge glass cookie jar that is right in from of them on the table,” he added.
CRYPTO-CURRENCY IS THE GREATEST LEAP FORWARD AGAINST BREACH BY FINTECHS
When asked about what could have been done to prevent financial companies from selling transaction data, he said that strict regulation could do it, but financial institutions will still not resist the temptation.
“Maybe one day, cryptocurrency and Blockchain technology will make us independent from these financial institutions. That would be the greatest leap forward we could make,” Gevers added. /apr