Chinese authorities summon Alibaba executives over data breach

Chinese authorities have reportedly called in Alibaba cloud executives for talks over the police database data breach that emerged at the start of July.

Alibaba is carrying out an investigation of its own into how the data breach of over a billion people happened, according to The Wall Street Journal (WSJ). The breach, one of the largest in history, saw the data taken from a Shanghai police database and was put online for sale for around $200,000 in late June.

Cyber security researchers said that a dashboard for managing the database had been left open, without a password, for over a year. Researchers concluded that it was hosted on Alibaba’s cloud platform which was also confirmed by company employees.

After the anonymous attacker posted an advertisement selling the data with a sample list of the information on a cyber crime forum, senior Alibaba managers gathered to come up with an emergency response on 1 July.

The executives reportedly called in for the meetings with Shanghai authorities include Chen Xuesong, Alibaba Cloud vice president, who had been hired recently to lead the cloud unit’s digital public-security business.

IT Pro has contacted Alibaba for comment.

Since the data breach was discovered, engineers at the company have temporarily disabled access to the database and have started inspecting related code. However, the reasons for the breach haven’t yet been determined.

The stolen data had been stored on Alibaba’s cloud using technology that was several years outdated and lacking in basic security features, two cyber security companies, LeakIX and SecurityDiscovery, told the WSJ. It was missing an up-to-date security certificate, with the company last deploying one in September 2017 which was never renewed after its expiration a year later.

The data is also believed to contain personal information belonging to Chinese citizens including names, government ID numbers, phone numbers, and records of crimes reported to the police.

Since the breach has occurred, Alibaba Cloud has ordered staff to review details like the database architecture and configurations in contracts with key clients, putting an emphasis on those with dedicated private cloud resources including government agencies and financial institutions.

LeakIX and SecurityDiscovery also found 13 other Alibaba-hosted databases which used the same outdated version of the database and database products. They had also been set up identically with the database on a private server and the dashboard on the public internet. All 13 had the same certificate that then expired and nearly all had been left open for around a year. One database had over 60TBs of data while another had 92TBs, far more than the 23TBs stolen from the Shanghai police.

This isn’t the first time that the Chinese tech giant has faced scrutiny over its data-security practices. Last December, its cyber security partnership with the Chinese ministry in charge of technology was suspended for six months after the government alleged the company took too long to report a global software vulnerability.