07-18-2022 , 02:27 PM
https://www.wsj.com/articles/alibaba-exe...malertNEWS Alibaba Executives Called In by China Authorities as It Investigates Historic Data Heist
Cybersecurity companies say Alibaba’s cloud platform that hosted Shanghai’s police database used outdated systems that didn’t offer ability to set a password HONG KONG—Executives from Alibaba Group Holding Ltd.’s BABA -1.27%▼ cloud division have been called in for talks by Shanghai authorities in connection with the theft of a vast police database, according to people familiar with the matter, adding urgency to an internal investigation by the Chinese tech giant into how one of history’s largest data heists was allowed to happen.
The investigation revolves around a cache of sensitive Shanghai police data on an estimated nearly one billion Chinese citizens, which was offered for sale online for the equivalent of roughly $200,000 in late June. Cybersecurity researchers said a dashboard for managing the database had been left open on the public internet without a password for more than a year, making it easy to pilfer and erase its contents.
Based on scans of the database, the researchers concluded that it was hosted on Alibaba’s cloud platform. Company employees also confirmed the relationship.
Senior managers from Alibaba and its cloud unit gathered virtually to formulate an emergency response on July 1, after an anonymous seller posted an advertisement for the data and provided a sample of it in a cybercrime forum, according to people briefed on the meeting.
Executives called in for meetings with the Shanghai authorities include Alibaba Cloud Vice President Chen Xuesong, who was recently hired to lead the unit’s digital public-security business, according to people familiar with the matter.
Mr. Chen couldn’t be reached for comment. Alibaba and the Shanghai government didn’t immediately respond to requests for comment.
Alibaba founder Jack Ma was an early evangelist of the use of data in policing and social control in China.
PHOTO: MARLENE AWAAD/BLOOMBERG
Since the theft was discovered, Alibaba engineers have temporarily disabled all access to the breached database and have begun inspecting related code, some employees familiar with the response said. The reasons for the breach haven’t yet been determined, they said.
Two cybersecurity companies told The Wall Street Journal the stolen data had been stored on Alibaba’s cloud using technology that was several years outdated and lacked basic security features, according to an analysis of the database’s metadata—part of a pattern they detected with more than a dozen other databases hosted by the company.
Alibaba didn’t respond to a request for comment on the companies’ findings.
Based on samples provided by the seller, the stolen data is believed to contain the names, government ID numbers and phone numbers of the vast majority of Chinese citizens, including minors, as well as records of crimes reported to the Shanghai police and other sensitive information. Though it’s common around the globe for databases to be left unsecured, cybersecurity researchers have said they were shocked to see such a huge volume of this level of sensitive information set out for the taking.
The breach has highlighted the volumes of data Chinese authorities are collecting through the country’s nationwide digital surveillance system, as well as the difficulty the government faces in keeping that data secure. A report published by China’s state-sponsored National Academy of Governance in November warned that a paucity of professionals capable of handling digital systems and a lack of coordination with tech suppliers were undermining the government’s effort to use technology to more efficiently manage society.
Mr. Chen, the Alibaba Cloud executive called in by Shanghai authorities, formerly worked as a government-funded engineer in public security and information technology, according to employees familiar with his background. It couldn’t be determined what was discussed in their meeting.
As the investigation continued, Alibaba Cloud ordered staff to review details such as the database architecture and configurations in contracts with key clients, especially those with dedicated private cloud resources such as government agencies and financial institutions, according to employees familiar with the matter and a cloud customer.
Neither Alibaba nor the Shanghai police have commented on the discovery by cybersecurity researchers last week that the dashboard for the stolen police database had been left without a password.
According to researchers at LeakIX and SecurityDiscovery, two cybersecurity companies that scan the web for unsecured databases, the dashboard lacked a password, and there wasn’t a way to add one.
Both the database that Alibaba provided for storing the data and the dashboard for accessing and managing it were using versions of the products that were several years outdated, the researchers said. Those versions didn’t include any security features, such as password protection, without a separate add-on that was never installed, they said.
The missing add-on didn’t matter for the database, which was kept on a secure private server, but the dashboard was set up on the public internet, acting like an open door to the data vault and allowing the information inside to be exported unencumbered.
The database was also missing an up-to-date security certificate, a unique digital identifier used to encrypt web traffic that has become standard practice. Alibaba last deployed a new certificate in September 2017, which expired a year later and was never renewed, according to the researchers.
The reliance on an expired certificate didn’t increase the vulnerability of the database but indicates that upkeep had been neglected, said Gregory Boddin, LeakIX’s chief technology officer. “There was no maintenance whatsoever on it,” he said, for at least the past four years.
LeakIX and SecurityDiscovery both said they found 13 other Alibaba-hosted databases that used the same outdated version of the database and dashboard products, and that had been set up identically with the database on a private server and the dashboard on the public internet. All 13 also shared the same certificate that then expired, which bucks best practices for security, Mr. Boddin said.
Nearly all had been left open upward of a year, according to LeakIX’s records. Two contained even more data than the 23 terabytes stolen from the Shanghai police: One had over 60 terabytes, while the other had over 92 terabytes.
“Even one day is enough for a database of such size to be grabbed and collected by malicious actors,” said Bob Diachenko, owner of SecurityDiscovery.
In early July, shortly after the leak began gaining widespread attention on social media, Alibaba cut public access to all 14 databases, Messrs. Boddin and Diachenko said.
Alibaba founder Jack Ma was an early evangelist of the use of data in policing and social control. In 2016, he delivered a speech to 1.5 million political and legal officials in which he said analysis of vast quantities of data would help the public security agencies track down thieves and predict terrorist attacks before they happened.
Alibaba Cloud is the biggest public cloud-service provider in China, but it lags far behind competitors like Huawei Technologies Co. in catering to clients who demand their own private cloud systems, according to government-backed think tank CCW Research. Alibaba’s cloud business turned a profit in the quarter ended March, making it the first Chinese cloud-service provider to make money from the cash-burning sector.
Alibaba previously has faced scrutiny over its data-security practices. In December, the Chinese ministry in charge of technology suspended a cybersecurity partnership with Alibaba’s cloud-computing unit for six months after Beijing alleged the company failed to report a global software vulnerability to it in a timely manner.
Last year, under pressure from a local telecom regulator, the company disclosed a 2019 incident in which an employee had leaked client contact information to a distributor.
Earlier this week, the Shanghai authorities announced a cybersecurity review of key websites and platforms belonging to government agencies, state-owned companies, big tech firms and other entities, with a particular focus on any that contained personal data on more than one million people.
Raffaele Huang contributed to this article.
Appeared in the July 15, 2022, print edition as 'Alibaba Probed Over Data Theft'.
Cybersecurity companies say Alibaba’s cloud platform that hosted Shanghai’s police database used outdated systems that didn’t offer ability to set a password HONG KONG—Executives from Alibaba Group Holding Ltd.’s BABA -1.27%▼ cloud division have been called in for talks by Shanghai authorities in connection with the theft of a vast police database, according to people familiar with the matter, adding urgency to an internal investigation by the Chinese tech giant into how one of history’s largest data heists was allowed to happen.
The investigation revolves around a cache of sensitive Shanghai police data on an estimated nearly one billion Chinese citizens, which was offered for sale online for the equivalent of roughly $200,000 in late June. Cybersecurity researchers said a dashboard for managing the database had been left open on the public internet without a password for more than a year, making it easy to pilfer and erase its contents.
Based on scans of the database, the researchers concluded that it was hosted on Alibaba’s cloud platform. Company employees also confirmed the relationship.
Senior managers from Alibaba and its cloud unit gathered virtually to formulate an emergency response on July 1, after an anonymous seller posted an advertisement for the data and provided a sample of it in a cybercrime forum, according to people briefed on the meeting.
Executives called in for meetings with the Shanghai authorities include Alibaba Cloud Vice President Chen Xuesong, who was recently hired to lead the unit’s digital public-security business, according to people familiar with the matter.
Mr. Chen couldn’t be reached for comment. Alibaba and the Shanghai government didn’t immediately respond to requests for comment.
Alibaba founder Jack Ma was an early evangelist of the use of data in policing and social control in China.
PHOTO: MARLENE AWAAD/BLOOMBERG
Since the theft was discovered, Alibaba engineers have temporarily disabled all access to the breached database and have begun inspecting related code, some employees familiar with the response said. The reasons for the breach haven’t yet been determined, they said.
Two cybersecurity companies told The Wall Street Journal the stolen data had been stored on Alibaba’s cloud using technology that was several years outdated and lacked basic security features, according to an analysis of the database’s metadata—part of a pattern they detected with more than a dozen other databases hosted by the company.
Alibaba didn’t respond to a request for comment on the companies’ findings.
Based on samples provided by the seller, the stolen data is believed to contain the names, government ID numbers and phone numbers of the vast majority of Chinese citizens, including minors, as well as records of crimes reported to the Shanghai police and other sensitive information. Though it’s common around the globe for databases to be left unsecured, cybersecurity researchers have said they were shocked to see such a huge volume of this level of sensitive information set out for the taking.
The breach has highlighted the volumes of data Chinese authorities are collecting through the country’s nationwide digital surveillance system, as well as the difficulty the government faces in keeping that data secure. A report published by China’s state-sponsored National Academy of Governance in November warned that a paucity of professionals capable of handling digital systems and a lack of coordination with tech suppliers were undermining the government’s effort to use technology to more efficiently manage society.
Mr. Chen, the Alibaba Cloud executive called in by Shanghai authorities, formerly worked as a government-funded engineer in public security and information technology, according to employees familiar with his background. It couldn’t be determined what was discussed in their meeting.
As the investigation continued, Alibaba Cloud ordered staff to review details such as the database architecture and configurations in contracts with key clients, especially those with dedicated private cloud resources such as government agencies and financial institutions, according to employees familiar with the matter and a cloud customer.
Neither Alibaba nor the Shanghai police have commented on the discovery by cybersecurity researchers last week that the dashboard for the stolen police database had been left without a password.
According to researchers at LeakIX and SecurityDiscovery, two cybersecurity companies that scan the web for unsecured databases, the dashboard lacked a password, and there wasn’t a way to add one.
Both the database that Alibaba provided for storing the data and the dashboard for accessing and managing it were using versions of the products that were several years outdated, the researchers said. Those versions didn’t include any security features, such as password protection, without a separate add-on that was never installed, they said.
The missing add-on didn’t matter for the database, which was kept on a secure private server, but the dashboard was set up on the public internet, acting like an open door to the data vault and allowing the information inside to be exported unencumbered.
The database was also missing an up-to-date security certificate, a unique digital identifier used to encrypt web traffic that has become standard practice. Alibaba last deployed a new certificate in September 2017, which expired a year later and was never renewed, according to the researchers.
The reliance on an expired certificate didn’t increase the vulnerability of the database but indicates that upkeep had been neglected, said Gregory Boddin, LeakIX’s chief technology officer. “There was no maintenance whatsoever on it,” he said, for at least the past four years.
LeakIX and SecurityDiscovery both said they found 13 other Alibaba-hosted databases that used the same outdated version of the database and dashboard products, and that had been set up identically with the database on a private server and the dashboard on the public internet. All 13 also shared the same certificate that then expired, which bucks best practices for security, Mr. Boddin said.
Nearly all had been left open upward of a year, according to LeakIX’s records. Two contained even more data than the 23 terabytes stolen from the Shanghai police: One had over 60 terabytes, while the other had over 92 terabytes.
“Even one day is enough for a database of such size to be grabbed and collected by malicious actors,” said Bob Diachenko, owner of SecurityDiscovery.
In early July, shortly after the leak began gaining widespread attention on social media, Alibaba cut public access to all 14 databases, Messrs. Boddin and Diachenko said.
Alibaba founder Jack Ma was an early evangelist of the use of data in policing and social control. In 2016, he delivered a speech to 1.5 million political and legal officials in which he said analysis of vast quantities of data would help the public security agencies track down thieves and predict terrorist attacks before they happened.
Alibaba Cloud is the biggest public cloud-service provider in China, but it lags far behind competitors like Huawei Technologies Co. in catering to clients who demand their own private cloud systems, according to government-backed think tank CCW Research. Alibaba’s cloud business turned a profit in the quarter ended March, making it the first Chinese cloud-service provider to make money from the cash-burning sector.
Alibaba previously has faced scrutiny over its data-security practices. In December, the Chinese ministry in charge of technology suspended a cybersecurity partnership with Alibaba’s cloud-computing unit for six months after Beijing alleged the company failed to report a global software vulnerability to it in a timely manner.
Last year, under pressure from a local telecom regulator, the company disclosed a 2019 incident in which an employee had leaked client contact information to a distributor.
Earlier this week, the Shanghai authorities announced a cybersecurity review of key websites and platforms belonging to government agencies, state-owned companies, big tech firms and other entities, with a particular focus on any that contained personal data on more than one million people.
Raffaele Huang contributed to this article.
Appeared in the July 15, 2022, print edition as 'Alibaba Probed Over Data Theft'.