Alibaba Victim of Massive Data Breach following Months-Long Web-Scraping Operation

libaba Group office building in Hangzhou, China - Alibaba Victim of Massive Data Breach

Alibaba Group is the latest victim of a massive data breach following a months-long web-scraping operation by one of its marketing consultants. The unnamed marketer siphoned off usernames and phone numbers from Alibaba’s online shopping platform Taobao for approximately eight months. Thus, clandestinely collecting over 1.1 billion pieces of sensitive user information.

Months-Long Web-Scraping Operation

Taobao is an online shopping platform owned by the Alibaba Group, a Chinese-owned multinational technology company worth billions. Taoboa is ranked as the eighth most-visited website and the largest online retail website in China. It offers both C2C and B2C shopping platforms as well as various services aimed at creating a holistic shopping experience.

For years, Taoboa partnered up with a marketing firm to help merchants on their online mall platform. Turns out that one of the marketer’s software developers created a web crawler, also called a spider or spiderbot, that was able to scrape user information. This information included user IDs, mobile phone numbers and comments customers left on the platform.

Court Sentences Employee and Employer

The marketing firm used the information for its customer service. The crawling went on for eight months before Alibaba discovered it and, consequently, reported the leak. In their defense, the marketing company argued that they never sold any of the data. They also claimed that none of the users suffered any financial loss as a result of their crawling operation.

The district court in China’s central Henan province, where the court case took place, was not impressed. They sentenced the employee, a man surnamed Lu, and his unnamed employer to three years imprisonment and imposed a total fine of 450,000 yuan (more than $70,000).

Beijing Tightens Grip on Data Security

The court didn’t hold Alibaba or Taoboa accountable. Nonetheless, under China’s 2017 cybersecurity law, the tech giant could still be hit with administrative penalties.

Moreover, China’s new data security law will come into effect on 1 September 2021. The new law makes “core data” collected within China’s territory subject to government oversight. The country has also tightened its grip on the troves of personal information that tech giants, such as Alibaba, gather every day from millions of customers.

Further, the new law foresees steep fines of up to 10 million yuan ($1.5 million) for unapproved overseas data transfers. Finally, companies that fail to protect their data can face a fine of up to 2 million yuan ($315,000).

Controlling Tech Titans

In the US, there’s also a strong push to regulate and break up tech titans, like Facebook, Amazon, and Google. Anti-competitive behavior and privacy enforcement are the two main drivers for this

Of note is the fact that President Joe Biden has put a stop to Trump’s attempts to ban applications owned or controlled by Chinese tech companies. Government scrutiny, however, will continue. The President instructed the Secretary of Commerce to investigate whether the apps pose a national security threat. He has to provide recommendations within the next 120 days.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using's dedicated VPN testing protocol that has been finetuned and optimized over the years.