Alibaba executives questioned over Chinese data breach
Security experts allege that the database was unsecured for over a year
Chinese police and government officials in Shanghai have called in executives at Alibaba's cloud services division Aliyun, to explain a massive data leak. It is suspected that the breach can be traced back to an AliCloud server left without a password.
A source speaking to Nikkei Asia said multiple third-party contractors were involved in managing the Shanghai Police database, which makes assigning blame difficult. However, it is Alibaba executives who are currently helping the police with their investigation.
Security experts speaking to the Wall Street Journal have also alleged that a dashboard for managing the database had been left open on the public internet for more than a year.
The breach, first uncovered in late June, covered around 23 terabytes of information and held records on about a billion Chinese citizens.
The addresses, arrest records, ID numbers, height, gender and name of each person were held within the records.
The data was on sale for 10 Bitcoin - around $200,000 - but it is no longer for sale, according to the original forum post. Instead, the hacker's website simply says (in Chinese):
‘Hello, dear Chinese users, welcome to our forum. You most likely came here because of the Shanghai police database leak. The data is no longer being sold, and posts related to this topic have been deleted.'
Since the discovery of the leak, Alibaba engineers have been told to review database security for its cloud services, and to check configurations used by other clients.
Shen Meng, a director at Beijing-based bank Chanson & Co stated; "Even though the incident was only related to Alibaba's cloud services, the result of the leak will impact on other cloud providers like Tencent and Baidu."
Aliyun, and its parent company, Alibaba, have already been under increased scrutiny by the Chinese Government for over a year due to a previous incident over a delay to report a software flaw to the government, which caused the government to halt all cooperation with Alibaba and Aliyun on information sharing for over six months.
This gives the Chinese government incentive to further push state-backed cloud systems on the populace, shown in a recent migration towards state cloud systems due to the crackdowns on Chinese tech companies like Tencent and Baidu, in fact, large scale businesses like the Chinese Construction Bank and local governments in cities have further begun to move to a state-backed cloud platform due to the leak.