New China data era: Past cyber scandal returns to haunt Alibaba

By Elles Houweling

The telecoms regulator of China’s eastern province of Zhejiang has told Alibaba’s cloud unit that it violated the country’s Cybersecurity Law and should make rectifications following a complaint about a data leak scandal that rocked the company in 2019.

The Zhejiang Communications Administration said in a letter dated July 5 that Alibaba Cloud disclosed user registration information to a third party without consent, which violated the “Cybersecurity Law of the People’s Republic of China”.

The letter was issued after the bureau received and processed a complaint against China’s largest cloud service provider. The authority did not identify the source of the complaint or when it was filed.

Alibaba responded to the report stating that an employee in the telemarketing department used their position to obtain customer data which was subsequently shared with a third party.

In a statement, the company said that “Alibaba Cloud strictly prohibits employees from leaking user registration information to third parties and the situation has been dealt with in accordance with the requirements of the Zhejiang Provincial Communications Administration.”

The document refers to the “Cybersecurity Law of the People’s Republic of China”, which has been in effect since 2017. Under the law, an order to take corrective measures is the lightest penalty for infringing on rules protecting user data. The regulator is authorised to issue a fine of up to 1m yuan ($154,000) and to fine responsible individuals up to 100,000 yuan.

The end of China’s internet ‘wild west’

The case has been brought to the foreground amid Beijing’s regulatory push in relation to the handling of personal data. China’s Personal Information Protection Law which goes into effect in November, and China’s Data Security Law, set to go into effect in September, have been deemed milestones in regulating data collection, storage and usage by tech giants.

This also falls in line with Beijing’s ambitions to put an end to the “wild west” era hitherto enjoyed by many internet companies. Since Alibaba was fined for monopolistic practices in April, virtually all of China’s big names in tech have been chastised.

Social media platforms and mobile app developers have been explicitly targeted for illegal data collection.

“The state is highly interested in them because they generate so much data,” senior analyst at GlobalData, Michael Orme, points out.

Moreover, there has been a general sentiment among netizens that these companies have become too big and powerful.

“They had been ripping the consumers off. There was a lot of misleading marketing. Pricing was out of control with companies that had monopolistic powers. They were making life very difficult for their competitors using unfair practices,” Orme adds.

“I think it is to remind the people that it is not just another war, but that it’s designed to bring benefits to residents to Chinese citizens,” Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, points out.

According to Kolochenko, the new investigation of the old data leak that occurred in 2019 is to send a message across the board.

“It’s saying, look, you were lucky Alibaba that when the mega data leak happened, and you didn’t implement foundational security controls, we didn’t penalise you. But now, please pay attention. Otherwise, we’ll come not with a carrot but with a big stick.”

Alibaba 2019 data leak

In 2019, Alibaba’s shopping website Taobao was compromised for eight months, which resulted in over 1.1. billion pieces of user information being collected by a software developer.

The unnamed developer used web-crawling software and gathered information, including user IDs, mobile phone numbers and customer comments.

A criminal verdict was published by the People’s Court of Suiyang District, stating that two criminals, the developer and his employer, were involved in the crawl, as reported by Chinese media.

When Alibaba noticed the data leaks from its shopping website, which occurred after several months, it informed the authorities, the court statement detailed.

Following a police investigation, the report suggests the two individuals were sentenced to imprisonment for over three years each and fined 100,000 yuan ($15,400) and 350,000 yuan ($54,000) for “infringing on citizens’ personal information.”