Alibaba falls victim to data leak, insists no customer data was sold

Alibaba has fallen victim to a eight-month web-scraping operation by a marketing consultant who collected sensitive user information, according to a Chinese court verdict.

According to Bloomberg, a verdict released this month by a district court in China’s central Henan province showed that a marketing consultant began using a self developed web-crawling software on Taobao starting in November 2019, gathering information including user IDs, mobile phone numbers and customer comments. Alibaba later noticed the data leaks from Taobao and informed the police afterwards. 

The consultant, responsible for helping merchants on Taobao, was guilty of dredging up more than a billion data items on Taobao users since 2019 to serve clients. The consultant and his employer were handed jail terms of more than three years, alongside fines totaling about US$70,260.

Meanwhile, the developer didn’t obtain encrypted information such as passwords, some of the data he scraped, including phone numbers and a portion of usernames, isn’t publicly presented on the website.

Alibaba said none of the customer data was sold and Alibaba users didn't incur financial losses. Meanwhile, Taobao said it "devotes substantial resources to combat unauthorised scraping on its platform, as data privacy and security is of utmost importance."

The company also reiterated that it would continue to work with law enforcement to protect and defend the interests of users and partners.

Meanwhile, Alibaba-owned Lazada reported a data breach in November 2020, ahead of the company's ahead of its annual Single's Day sales. Lazada said its cybersecurity team discovered a breach in Singapore, involving a RedMart-only database hosted on a third-party service provider.

The information that was illegally accessed include the names, phone numbers, emails, addresses, encrypted passwords and partial credit card numbers of RedMart customers. However, Lazada said the data hosted is more than 18 months out of date, as it was last updated in March 2019. The data was also said to be used on the previous RedMart app and website, which are no longer in use.

Related articles
Chinese govt reportedly presses Alibaba to divest media assets which includes SCMP
Alibaba Group slapped with US$2.8bn antitrust fine, no plans to appeal