Is Alibaba responsible for the largest data heist in China? Authorities is investigating

Is Alibaba responsible for the largest data heist in China? Authorities is investigating. (Photo by AFP) / China OUT

Is Alibaba responsible for the largest data heist in China?

  • The cloud arm of Alibaba in China has been summoned by the authorities in regards to the theft of Shanghai’s police database recently.
  • It was found that the stolen data of one billion Chinese was hosted on Alibaba’s cloud platform and the company met virtually soon after for an emergency response.

For more than a year, data of one billion Chinese citizens stolen from the Shanghai National Police (SHGA) network were left out in the wild. It wasn’t a known fact until an anonymous user revealed it in a hacker forum some two weeks ago. What was also made known was the fact that the 23 terabytes of data were hosted by Alibaba Cloud, the same cloud arm said to be hosting the local police network. Now Alibaba is under scrutiny in China, a country where data is almost a top priority and negligence when it comes to security is not acceptable.

Even cyber experts had confirmed that the data was stored on Alibaba’s cloud servers, apparently by the Shanghai police. The fact that the data was left unsecured online for almost 14 months, without a username or password guarding access, would inevitably place the Jack Ma-owned company under the limelight. As expected, news reports state that the tech giant’s executives had been summoned by Chinese officials over the theft of a vast police database.

The news even dragged down the shares of Alibaba in China for the most in a month. Alibaba however has temporarily disabled access to the breached database and launched an inspection since the theft was discovered, according to the Wall Street Journal. The report also added that senior managers from Alibaba and its cloud unit held a virtual meeting on July 1 after a seller advertised the stolen database in a cyber crime forum.

Alibaba however has yet to make any official comments pertaining to the matter. Even officials in Shanghai and from the Cyberspace Administration of China have not publicly commented on the high-profile incident. However, in the wake of an alleged data leak, the country’s Premier Li Keqiang had stressed the importance of information security at a State Council meeting on July 6.

Chinese government bodies must “defend information security, to protect personal information, privacy and confidential corporate information” so people can feel secure when submitting data for certain public services, according to a statement summarizing the cabinet meeting, as per South China Morning Post’s report. Although he did not specifically mention the incident, securing data has become an increasingly important priority for the government, especially since the enactment of two related laws last year.

For context, China is home to 1.4 billion people, which means the data breach could potentially affect more than 70% of the population. The sample data set by the anonymous hacker known as ‘ChinaDan’ suggests that those databases contain Chinese national residents’ names, birth dates, addresses, mobile phone numbers, personal identification numbers, photos, and even ethnicities.

ChinaDan shared a sample that contained 750,000 records which would allow interested buyers to verify the information. When the anonymous user advertised the data for sale two weeks ago, access to the database was shut down. Of course the size of the alleged hack then triggered concerns about its implications at a time when China’s state apparatus is collecting huge swathes of data from its citizens for social surveillance and governance.

Local reports indicated that Alibaba Cloud won the bid for the Shanghai Public Security Bureau’s “Smart Public Security Comprehensive Service Platform Construction Project” July 15, 2019 with a budget of 22.53 million yuan (US$3.3 million), which was to include the building of a portal and search function for the database.

Other local reports also noted that the breach isn’t an odd incident. In fact, in 2019, 90 million documents belonging to the Jiangsu provincial police department were exposed on the publicly accessible ElasticSearch server. Then at the end of 2020, a list with the personal details of 1.95 million Chinese Communist Party (CCP) members from Shanghai was leaked online.

Interestingly, after the claimed leak, Chinese social media platforms sprang into action, censoring related content. Even Tencent Holdings and Weibo started censoring related posts with one commentary on the former’s WeChat that claimed the leak will bring “permanent, implacable influences” disappeared soon after being published. On Weibo, a microblogging platform, related content under the topic “Shanghai national police database” was cleared out.