China officials haul in Alibaba execs over massive data heist: Report

Based on scans of the database, the researchers concluded that it was hosted on Alibaba's cloud platform. PHOTO: AFP

BEIJING (AFP) - Alibaba shares sank on Friday (July 15) after a report said the tech giant’s executives had been called in for meetings with Chinese officials over the theft of a vast police database.

Unknown hackers last month put on sale what they claimed was the personal information of hundreds of millions of Chinese citizens - which, if true, would make it one of the biggest data heists in history.

Cyber-security analysts subsequently confirmed that the data - partly verified by AFP - was stored on Alibaba’s cloud servers, apparently by the Shanghai police.

The company’s shares slumped 5.7 per cent at the open in Hong Kong on Friday, hours after the Wall Street Journal (WSJ) reported that the Shanghai authorities had called in Alibaba executives for talks in connection with the heist.

WSJ cited unnamed people familiar with the matter as saying that the executives included Alibaba Cloud vice-president Chen Xuesong, who heads the unit’s digital public security work.

The report added that senior managers from Alibaba and its cloud unit held a virtual meeting on July 1 after a seller advertised the stolen database in a cyber crime forum.

As part of an internal investigation, company engineers have cut access to the breached database and have started reviewing related code, WSJ said, citing employees familiar with Alibaba’s response to the hack.

The database is believed to have been stored on Alibaba’s servers using outdated and insecure technology.

Alibaba did not immediately respond to an AFP request to confirm the information in the report.

China maintains a sprawling nationwide surveillance network that collects huge amounts of data from its citizens, ostensibly for security purposes.

Beijing has passed stronger data protection laws in recent years as public awareness of data security and privacy issues has grown.

There are few ways, however, for ordinary citizens to stop the government from gathering information on them.

The sample of 750,000 entries posted online by the hacker showed citizens’ names, mobile phone numbers, national identity numbers, addresses, dates of birth and the police reports they had filed.

The hacker wanted 10 bitcoins - around US$200,000 (S$281,000) at the time - for the entire database.

Some of the information appeared to have been drawn from express delivery services, while other data included summaries of police incident reports in Shanghai over more than a decade until 2019.

At least four people out of more than a dozen contacted by AFP last week confirmed that their details were listed in the database.

Join ST's Telegram channel and get the latest breaking news delivered to you.