Questions surrounding Alibaba’s role in China’s largest known cybersecurity breach may fuel Beijing’s resolve to clamp down on domestic tech giants and accelerate a move away from their private cloud services.
Researchers studying the leaked data of close to a billion Chinese residents earlier this month have noticed hallmarks of Alibaba’s cloud service, including the domain name of the hosting service. This week, executives of the company’s cloud division, known as Aliyun, were summoned by Shanghai authorities in relation to that data dump, the Wall Street Journal reported, citing sources familiar with the matter.
The embarrassing data breach comes as Chinese President Xi Jinping, months away from potentially an unprecedented third term, has stressed the importance of cybersecurity. It has sent a jolt through the Chinese security community, given not only the massive scale of the leak but also because the data in question was managed by Shanghai’s police, who help to collect data on citizens and enforce the country’s increasingly strict cyber laws.
Officials in Shanghai and from the Cyberspace Administration of China have not publicly commented on the high-profile incident, even two weeks after a hacker sought to sell the vast trove of stolen personal info that includes names, phone numbers, addresses, and criminal records. Alibaba declined to comment.
The company’s shares were down as much as 5.8% in Hong Kong on Friday and led a wide swathe of declines among Chinese tech firms operating in related fields. Investors fear the incident will affect Chinese regulations on cloud services going forward, affecting some of the country’s biggest names from Tencent and Baidu to Huawei.
“Even though the incident was only related to Alibaba Cloud, its impact will likely spill over into other private cloud providers such as Tencent and Baidu,” said Shen Meng, a director at Beijing-based investment bank Chanson & Co. “If Aliyun is indeed found to have flaws in its system, it would deal a heavy blow to the reputation of non-state cloud providers and could even trigger a massive user migration to state-backed cloud systems.”
That migration was already underway even before the July hack, as Beijing’s relentless and widespread crackdown of its formerly high-flying tech giants nudged risk-averse institutions toward state-owned providers. Large-scale businesses like the China Construction Bank and local municipalities in cities such as Nantong were already moving closer to state-backed cloud platforms.
Aliyun’s reputation took a hit last year when China’s Ministry of Industry and Information Technology, the country’s powerful tech overseer, upbraided the service provider for not reporting a software flaw to the government in a timely fashion. MIIT then suspended cooperation with Aliyun on a cybersecurity information-sharing platform for six months.
Multiple security researchers who analyzed the leaked database have said its certification information pointed to it being hosted on AliCloud and that it may have been left unsecured online for months, without a username or password guarding access. Bob Diachenko, from the cyber threat intelligence site Security Discovery, said he had discovered the database in April, and an analysis by LeakIX, which tracks exposed data online, showed that the database may have been publicly accessible since last April.
It is unusual for the targeted organization in a claimed data breach to let so many days pass without offering public comment on the incident, which has created a “vacuum of information” around it, said Troy Hunt, the Australia-based creator of the Have I Been Pwned? website. In general, it was more likely for a cloud service subscriber to make a mistake in its security and configuration settings rather than for a third-party cloud service provider to have serious vulnerabilities that would be responsible for data breaches of this kind, he said.
“It’s pretty expected that the owner of the data might call to account the cloud provider,” he said. “The interesting question is, is this a problem with Alibaba Cloud, or is it a problem with the way that the customer configured it? It is more likely that a single subscriber of the cloud provider, in this case the Shanghai police, made a mistake.”
Since the data theft was publicised, security researchers say that access to the database online has been pulled. Alibaba temporarily disabled access and began internally investigating the incident, including reviewing the database architecture and configurations for their contracts with customers, particularly for government agencies and financial institutions, the Journal reported.