Alibaba falls victim to Chinese crawler in major data breach
A Chinese software developer chased Alibaba Group Holding ltd.
popular shopping site Taobao for eight months, surreptitiously collecting more than 1.1 billion user details before Alibaba noticed the scraping, according to a Chinese court verdict.
The software developer started using web crawler software it designed on the Taobao site from November 2019, collecting information such as user IDs, mobile phone numbers and customer feedback , according to a verdict this month from a district court in China’s central Henan province. When Alibaba noticed data leaks from Taobao, one of China’s most visited online retail sites, the company notified the police, the court heard.
A spokeswoman said Alibaba proactively discovered and addressed the incident and was working with law enforcement to protect its users. She did not specify the number of people affected. No user information was sold to a third party and no economic loss was incurred, she said. About 925 million people use Alibaba’s Chinese retail platforms at least once a month, according to the company.
Although the developer did not obtain encrypted information such as passwords, some of the data it extracted, including phone numbers and part of usernames, is not presented publicly on the website.
Chinese legal experts say a data breach involving mobile phone numbers would have greater consequences in China than in other parts of the world. In China, where people are required to register with real identification before getting a cellphone number, those numbers are considered personal information by law, said Annie Xue, a Beijing-based lawyer with the GEN law firm.
Also, Chinese consumers sign up for most internet services they use with their cell phones, and knowing a person’s cell phone number would make it easier for a bad actor to locate social media accounts and someone else’s personal information, Clement Chen said. , assistant professor of law at the University of Hong Kong.
Hangzhou-based Alibaba has been under intense scrutiny from regulators since late last year, when authorities canceled a successful initial public offering by its financial subsidiary Ant Group Co. a few days ago. before scheduled registration.
Huge consumer data leaks have become commonplace in China in recent years, as the country’s data security regulations struggle to catch up with its technological advancements. Personal information from these leaks is often sold on the black market for pennies and has sparked a nascent privacy movement among Chinese citizens.
Chinese lawmakers have pushed for more surveillance to better protect personal data. Last week, China passed a new data security law to tighten Beijing’s control over data flows within the country and improve consumer data protection. The law, along with proposed legislation modeled on the European Union’s Data Protection Regulation, aims to strengthen data rules such as the Cybersecurity Act introduced in 2017.
The Henan court filing, dated May but released this month, said the software developer, surnamed Lu, passed on the phone numbers he collected to his employer. The employer, who operated a business promoting sellers on Taobao, used the information to target customers and claim coupons from Taobao. The two were each sentenced to more than three years in prison. It is not uncommon for Chinese court rulings to be made public months after the verdict, and published rulings usually only include people’s surnames.
Although Alibaba was not blamed in the decision, the company could still face administrative penalties under the 2017 cybersecurity law, said You Yunting, senior partner at law firm Shanghai Debund. . Alibaba declined to say whether it notified users of the incident.
Since canceling Ant’s IPO, antitrust regulators have fined Alibaba a record $2.8 billion for abusing its dominant position in the country’s online retail space. and asked Ant to revamp its business to comply with regulations.
Major global tech companies, including Facebook Inc.
also had to deal with data leaks. In April, Facebook accused “malicious actors” of harvesting data including the names and phone numbers of more than 530 million users. Legal and privacy experts then said the social media company chose to describe the incidents as data scraping rather than hacking to avoid triggering laws and rules in various jurisdictions requiring companies to report breaches. data to regulators and the public.
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the June 16, 2021 print edition as ‘Software Developer Scraped User Data From Alibaba Site’.