The Chinese shopping company Taobao of Alibaba suffered data breach (data breach), after a Chinese software developer used web crawl software to acquire 1,1 billion pieces of data, including usernames and mobile phone numbers. The news about huge data leak brought to light the The Wall Street Journal (WSJ), on June 15, referring to a Chinese court ruling.
In particular, the WSJ cited a recent ruling by a district court in central Henan, China, which stated that data reported in the data breach user IDs, mobile phone numbers, and user comments.
The court reported the data breach to police when Alibaba spotted the suspicious activity. Taobao is one of the most popular shopping platforms in China. According to the company, approximately 925 million people use Taobao and other Alibaba retail sites each month.
The decision did not hold Alibaba responsible for the leak. However, it could face administrative sanctions under China's 2017 Cyber Security Act, said Yuyunting, a senior fellow at the Shanghai Deband office.
According to a petition filed in Henan County Court, one software developer named Lu realized scraping of the site, using a tool developed on the Taobao platform in 2019. Lu began extracting some of the user data on the site, which was then passed on to Lu's employer. The WSJ reported that behind the action was a promotion company that worked with Taobao merchants. According to the report, the employer used the data to find new customers and requested Taobao coupons.
The WSJ reported that both Lu and his anonymous employer were convicted of imprisonment for more than three years. Judgments of Chinese courts are generally published months later and usually contain only the surname.
The huge data leaks, in which consumer data is exposed, is common phenomenon in China in recent years, as the country's data security regulation struggles to respond to technological developments. Personal information from these leaks are often sold on the black market, which has led to one new privacy movement among Chinese citizens.
Chinese lawmakers have been pushing for more oversight, aiming at better protection of personal data. Last week, China introduced one new law on data security, in order to strengthen Beijing 's control over data flows within the country and to improve consumer data protection.
The law, along with proposed legislation based on the European Union Data Protection Regulation, aims to strengthen data regulations, such as the Cyber Security Act introduced in 2017. China's new data security law passed in April. The law, which derives from the cyber security law of 2017, will enter into force on September 1.
Many technology giants, including Facebook, have also been confronted with serious data leaks. In April, Facebook accused "malicious actors" of scraping data, including names and phone numbers more than 530 of millions of users. Legal and privacy experts said at the time that the social media giant had chosen to describe the incident as data scraping instead of hacking, to avoid enforcing laws and regulations in various jurisdictions, requiring companies to report data leaks to both regulators and the public.