The online payment platform Alipay has apologized to customers after user information including names and home addresses, were stolen. The apology came a bit late—some three years after the fact.

The breach of about 20 gigabytes of user data stolen from the Chinese online giant Alibaba’s payments unit was sold to other e-commerce firms and market research companies in 2010. It wasn’t until 2012 that company officials suspected information had been stolen; in November 2013 police charged an employee in Alipay’s technical staff with stealing the information, as well as a man with another e-commerce firm who bought the data. (The going rate was reportedly 500 yuan ($82) per 30,000 items of the data haul.)

The case is just part of a larger online security problem facing Chinese companies—worrying in a country with 590 million internet users and one of the world’s largest online retail markets. Stealing and selling personal information isn’t especially lucrative, but it’s all too easy given how little Chinese companies invest in data protection. Chinese officials are trying to address the problem through more arrests and laws targeting certain industries like delivery services, but industry observers call the reforms largely piecemeal.

A hit to Alipay’s reputation for security is especially bad as the company expands its base and services. They now include allowing users to buy money market funds and other financial products using their Alipay accounts. The company has a user base of 600 million spanning several countries, more than that of PayPal, the escrow service Alipay was originally modeled after. Moreover, Alipay, launched in 2004, was key to establishing e-commerce in China for consumers who were new to online shopping and wary of fraud. That anxiety might be returning soon—especially if there are other data thefts that companies haven’t quite gotten around to announcing yet.

Jennifer Chiu contributed additional reporting.