November 29, 2021

Alibaba Falls Victim to Chinese Web Crawler in Large Data Leak

A Chinese software developer trawled

Alibaba Group Holding Ltd.

’s popular Taobao shopping website for eight months, clandestinely collecting more than 1.1 billion pieces of user information before Alibaba noticed the scraping, a Chinese court verdict said.

The software developer began using web-crawling software he designed on Taobao’s site starting in November 2019, gathering information including user IDs, mobile-phone numbers and customer comments, according to a verdict released this month by a district court in China’s central Henan province. When Alibaba noticed the data leaks from Taobao, one of China’s most-visited online retail sites, the company informed the police, the court said.

A spokeswoman said Alibaba proactively discovered and addressed the incident and was working with law enforcement to protect its users. She wouldn’t elaborate on how many people were affected. No user information was sold to a third party and no economic loss occurred, she said. About 925 million people use Alibaba’s Chinese retail platforms at least once a month, according to the company.

While the developer didn’t obtain encrypted information such as passwords, some of the data he scraped, including phone numbers and a portion of usernames, isn’t publicly presented on the website.

Chinese legal experts say a data leak involving mobile-phone numbers would have more far-reaching consequences in China than in other parts of the world. In China, where people are required to register with real name identification before obtaining a mobile phone number, such numbers are considered by law to be personal information, said Annie Xue, a Beijing-based lawyer at GEN law firm.

In less than six months, China’s tech giant Ant went from planning a blockbuster IPO to restructuring in response to pressure from the central bank. As the U.S. also takes aim at big tech, here’s how China is moving faster. Photo illustration: Sharon Shi

In addition, Chinese consumers sign up for most of the internet services they use with their mobile phones, and knowing a person’s cellphone number would make it easier for a bad actor to pin down someone’s social-media accounts and other personal information, said Clement Chen, an assistant professor of law at the University of Hong Kong.

Hangzhou-based Alibaba has come under enhanced scrutiny from regulators since late last year, when authorities called off a blockbuster initial public offering of its financial affiliate Ant Group Co. days before the scheduled listing.

Huge consumer data leaks have become commonplace in China in recent years, as the country’s data-security regulation struggles to catch up with its technology advancements. Personal information from these leaks is often sold on the black market for pennies and has resulted in a fledgling privacy movement among Chinese citizens.

Chinese lawmakers have pushed for more oversight to better protect personal data. Last week, China passed a new data-security law to enhance Beijing’s control over data flows within the country and improve consumer data protection. The law, along with proposed legislation modeled on the European Union’s data-protection regulation, is intended to reinforce data rules such as the cybersecurity law introduced in 2017.

The Henan court filing, dated in May but released this month, indicated that the software developer, surnamed Lu, passed the phone numbers he collected to his employer. The employer, who operated a company doing promotions for sellers on Taobao, used the information to target clients and claim coupons from Taobao. The two were each sentenced to more than three years in prison. It isn’t uncommon for Chinese court rulings to be publicly released months after the verdict, and published rulings typically include only people’s surnames.

Though Alibaba wasn’t blamed in the ruling, the company could still face administrative penalties under the 2017 cybersecurity law, said You Yunting, a senior partner at Shanghai Debund Law Offices. Alibaba declined to comment on whether it had informed users of the incident.

Since Ant’s IPO was called off, antitrust regulators have levied a record $2.8 billion fine against Alibaba for abusing its dominant position in the country’s online retail space and have asked Ant to overhaul its businesses to fall in line with regulation.

Large global tech companies including

Facebook Inc.

have also had to contend with data leaks. In April, Facebook blamed “malicious actors” for scraping data including names and phone numbers of more than 530 million users. Legal and privacy experts said then that the social-media firm chose to describe the incidents as data scraping instead of hacking to avoid triggering laws and rules in various jurisdictions requiring companies to report data breaches to regulators and the public.

Write to Yang Jie at jie.yang@wsj.com and Liza Lin at Liza.Lin@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Appeared in the June 16, 2021, print edition as ‘Software Developer Scraped User Data From Alibaba Site.’

Related Posts

Amazon, Google Probed in U.K. Over Fake Reviews

June 25, 2021

June 25, 2021

The U.K.’s antitrust regulator launched an investigation into whether Amazon. AMZN -1.56% com Inc. and Google are doing enough to...

Elon Musk Needs to Sell Millions of More Tesla Shares to Meet 10% Pledge

November 12, 2021

November 12, 2021

Elon Musk’s sale of roughly $5 billion in Tesla Inc. shares in recent days is likely just the start of...

Fed Officials Debate Scaling Back Mortgage-Bond Purchases at Faster Clip

June 28, 2021

June 28, 2021

WASHINGTON—As Federal Reserve officials discuss how to eventually scale back their easy-money policies, they are debating whether to start by...

Renault Charged in France in Emissions Fraud Probe

June 8, 2021

June 8, 2021

French authorities opened a probe in 2017 into whether Renault engaged in fraud concerning auto emissions. Photo: Laurel Chor/Bloomberg News...

New Face-Mask Rules Put Grocery Workers Back at Center of Debate

May 22, 2021

May 22, 2021

Supermarket workers are back in the middle of a national conversation about face masks. Many supermarket chains have eased rules...

Transcript: WSJ Interview With Philadelphia Fed President Patrick Harker

July 1, 2021

July 1, 2021

Federal Reserve Bank of Philadelphia President Patrick Harker discussed in an interview with The Wall Street Journal his views on the...

DoorDash and Uber Eats Are Hot. They’re Still Not Making Money.

May 28, 2021

May 28, 2021

Food-delivery companies did record-breaking business during the pandemic, as millions of homebound Americans embraced the idea of ordering dinner via...

Deere Workers Reject Second Contract Offer, Extending Strike

November 3, 2021

November 3, 2021

Workers at Deere & Co. rejected a second contract offer, extending a strike against the farm equipment and construction machinery...

Why Doing Good Is No Longer Bad Business

June 4, 2021

June 4, 2021

It seems the modern corporate mission statement could use an update: Do well by doing good—or else. Earning the perception...

Google Unit DeepMind Tried—and Failed—to Win AI Autonomy From Parent

May 21, 2021

May 21, 2021

LONDON—Senior managers at Google artificial-intelligence unit DeepMind have been negotiating for years with the parent company for more autonomy, seeking...

Deere Workers Approve New Contract, Ending Strike

November 18, 2021

November 18, 2021

Workers at Deere & Co. ratified a new six-year contract Wednesday, ending a strike against the farm and construction machinery...

German Lawmakers Approve Rule Aimed at Boosting Women in Corporate Boardrooms

June 11, 2021

June 11, 2021

Some of Germany’s largest companies must ensure they have at least one woman on their management boards under legislation passed...

Stack Overflow Sold to Tech Giant Prosus for $1.8 Billion

June 2, 2021

June 2, 2021

Prosus PRX 0.54% NV said it struck a $1.8 billion deal to acquire Stack Overflow, an online community for software...

Blink Charging Taps Cash Pile in Electric Car Bet

May 27, 2021

May 27, 2021

Blink Charging Co. is using cash acquired in a recent stock offering to expand its network of charging stations ahead...

The U.S. Prepares for a Blockbuster July Fourth

July 2, 2021

July 2, 2021

Mark Penzkover, a civil engineer near Milwaukee, jumped in his car the other day and like many others across the...