IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Chinese authorities summon Alibaba executives over data breach

An unknown attacker stole the data of over a billion citizens from a police database, in one of the largest breaches recorded in history

Chinese authorities have reportedly called in Alibaba cloud executives for talks over the police database data breach that emerged at the start of July.

Alibaba is carrying out an investigation of its own into how the data breach of over a billion people happened, according to The Wall Street Journal (WSJ). The breach, one of the largest in history, saw the data taken from a Shanghai police database and was put online for sale for around $200,000 in late June.

Cyber security researchers said that a dashboard for managing the database had been left open, without a password, for over a year. Researchers concluded that it was hosted on Alibaba’s cloud platform which was also confirmed by company employees.

After the anonymous attacker posted an advertisement selling the data with a sample list of the information on a cyber crime forum, senior Alibaba managers gathered to come up with an emergency response on 1 July.

The executives reportedly called in for the meetings with Shanghai authorities include Chen Xuesong, Alibaba Cloud vice president, who had been hired recently to lead the cloud unit’s digital public-security business. 

IT Pro has contacted Alibaba for comment.

Since the data breach was discovered, engineers at the company have temporarily disabled access to the database and have started inspecting related code. However, the reasons for the breach haven’t yet been determined.

The stolen data had been stored on Alibaba’s cloud using technology that was several years outdated and lacking in basic security features, two cyber security companies, LeakIX and SecurityDiscovery, told the WSJ. It was missing an up-to-date security certificate, with the company last deploying one in September 2017 which was never renewed after its expiration a year later.

The data is also believed to contain personal information belonging to Chinese citizens including names, government ID numbers, phone numbers, and records of crimes reported to the police. 

Since the breach has occurred, Alibaba Cloud has ordered staff to review details like the database architecture and configurations in contracts with key clients, putting an emphasis on those with dedicated private cloud resources including government agencies and financial institutions.

Related Resource

Your key to digital differentiation and competence

Database services fit for app modernisation, cloud-native innovation, and data-driven strategies

Whitepaper cover with title and image of woman wearing glasses writing on a whiteboard in a dark officeFree Download

LeakIX and SecurityDiscovery also found 13 other Alibaba-hosted databases which used the same outdated version of the database and database products. They had also been set up identically with the database on a private server and the dashboard on the public internet. All 13 had the same certificate that then expired and nearly all had been left open for around a year. One database had over 60TBs of data while another had 92TBs, far more than the 23TBs stolen from the Shanghai police.

This isn’t the first time that the Chinese tech giant has faced scrutiny over its data-security practices. Last December, its cyber security partnership with the Chinese ministry in charge of technology was suspended for six months after the government alleged the company took too long to report a global software vulnerability.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

South Korean public sector organisations targeted by Gwisin ransomware
ransomware

South Korean public sector organisations targeted by Gwisin ransomware

8 Aug 2022
APAC region to lose 63 million jobs to automation by 2040
automation

APAC region to lose 63 million jobs to automation by 2040

8 Aug 2022
Cyber attacks rain on Taiwan during Pelosi visit
cyber warfare

Cyber attacks rain on Taiwan during Pelosi visit

5 Aug 2022
Microsoft becomes Australian space hub's first 'Constellation Partner'
Cloud

Microsoft becomes Australian space hub's first 'Constellation Partner'

4 Aug 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022