YTO Express Group, a leading express delivery firm in China, said in a statement Tuesday its five employees leased their internal accounts to criminal groups for profit, which leaked some 400,000 pieces of users' personal information.

Three suspects in the criminal groups associated with the data leak were arrested in September while the rest remain on the run, according to police based in Handan, northern China's Hebei Province.

The company on Tuesday apologized for the leak in the statement and claimed it reported the crime to the police. 

YTO Express' risk control system detected abnormalities on the waybill information or shipment data for two accounts at a YTO Express branch in Hebei in the end-July and closed them.

The authorities moved in and discovered the company's employees had rented out internal accounts to the suspects, charging 500 yuan ($76) per day for each account.

The suspects reportedly logged into the system to steal people's data and sold the information to domestic and overseas buyers, comprising the names, identification card numbers, phone numbers and addresses of numerous users.

A slew of laws and regulations regarding punishments for stealing people's personal information in China, and the amendment to the country's Criminal Law specifically establishes a sentence of up to seven years for infringing on citizens' personal information.

"The delivery company has very serious problems in internal management already. Therefore, YTO Express should not just apologize. It should give users an explanation on how to make rectifications and what measures will be taken in the future," said Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences.

Zhou said putting an end to biological information leaks, such as people's faces and voices, should be the top agenda of legislation and law enforcement.

(Cover via CFP)