Chinese police have arrested 22 people on suspicion of involvement in a major insider data breach scam at Apple which generated them as much as 50m yuan (£5.8m).
All but two of those cuffed by police in the eastern province of Zhejiang worked for a third party direct marketing and outsourcing provider for the tech giant, according to the Guardian.
Presumably as a result, they had access to databases of Apple users’ names, phone numbers, Apple IDs and other sensitive personal data which was harvested and sold on for between between 10 yuan (£1.15) and 180 yuan (£20.76), the report claimed.
Local police claimed to have arrested the suspects on suspicion of privacy infringement and data theft.
The operation apparently involved law enforcement from Guangdong, Jiangsu, Zhejiang, and Fujian provinces, with suspects arrested, their tools confiscated and network taken apart.
China recently enacted major new cybersecurity law in part designed to protect personal info like this. It stipulates that network operators must keep collected information strictly confidential and that use of any PII requires the owner’s consent.
The use of the generic terms “networks” and “network operators” in this case is broad enough to “leave a lot of room for interpretation, which is exactly how the Chines government wants it”, according to the China Law Blog.
There’s no info on whether foreign Apple customers were affected, although given the third-party outsourcer in question worked in domestic direct marketing, the likelihood is that just locals were hit.
Last year Apple was accused of leaking privacy data on a much wider scale than Android phones.
Of the 26 million iOS transactions monitored by the Zscaler cloud, 0.5% resulted in privacy information like device metadata, location, and personally identifiable information (PII) being sent, the vendor claimed.