August 27, 2022
(SOUTH BRUNSWICK, N.J.) – As an internet user, what could be more unnerving than discovering your private information leaked publicly on the internet for any random stranger to pick up and paw through? Yet that is exactly what an article published by CNN on July 5 described happening to one billion people in China. What made this leak even more shocking was that the victims’ leaked information was left out in the “open” for more than one year. How did the company responsible for the data not notice this for such a long time? The article also brought up the possibility of extortion and how hackers could use the leaked information to try to ransom individuals.
The alarmist coverage of this incident raised questions. As a reader, I felt like the headline — “Nearly one billion people in China had their personal data leaked, and it’s been online for more than a year” — was sensationalized and exaggerated to catch my attention. The headline provides little context, citing that the breach had been happening for quite some time and that it impacted an enormous sum of unidentifiable people. CNN is banking on its readers to click this story because the breach involves China, a nation overwhelmingly covered in a negative light by western media.
Yet the most important information was almost entirely left out of the headline and lede. The reporting cites that the data in question was hosted on the cloud servers of Alibaba Group, a multibillion-dollar e-commerce company based in China, which led CNN to question Alibaba’s role in what is referred to as China’s largest known cybersecurity breach, according to the Washington Post. Now if you’re in the business realm and have investments in China, this story may ring alarm bells. Alibaba reported $1.3 billion in gross merchandise volume in the fiscal year of 2022. The company is a big deal — warranting a story. However, the way CNN went about reporting the story failed to highlight that critical context, feeding into the sensationalistic news loop on China.
Cyber News, Wall Street Journal, Bloomberg, and Fortune all covered the same story. I particularly appreciated Cybernews’ headline, “Shanghai Police Leak reveals China To Be as Vulnerable as Any Nation.” The title does not encourage panic with hot words like hack or breach. It also humbles China as yet another place vulnerable to the throes of cyberattacks. According to Bloomberg, the breach may fuel Beijing’s resolve to clamp down on domestic tech giants and accelerate a move away from their private cloud services. A question that stuck with me, though, was why is western media so heavily reporting on cybersecurity attacks in China when these attacks don’t affect the U.S.?
The leak reported by CNN and other outlets could be one of the biggest ever recorded in the history of cybersecurity breaches for China. The story discusses Chinese personal data being publicly accessible but it fails to mention the threat posed to the U.S.’s cyber landscape — really alienating the story from its primary audience. My issue with the story — beyond it not being relevant to its American readers — is it emanates a wave of panic. According to CNN, an anonymous owner of the data was at fault, not the company hosting it. So why is the article so focused on Alibaba instead of the owner that it acknowledges? I wanted to know if this was a breach or a hack because the headline misconstrued the meaning of this term throughout the article. The article mentions a hacker stole the data. I tried reaching out to Yong Xiong, Hannah Ritchie and Nectar Gan with my questions about their article but none of the journalists responded to my media request.
One small paragraph was devoted to the owner of the data in the entire CNN article, but it mentions the company Alibaba throughout. “The seller also claimed the unsecured database had been hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba,” the article reads. One issue I had with the article is that CNN focused the blame on the company.
Yet experts agree that it was the owner of the data who was at fault, not the company hosting it. I felt like the article misrepresented Alibaba in a negative light, failing to provide them with the opportunity to state their side — feeding into sensationalist coverage of this Chinese conglomerate.
Cybersecurity Risk Management Consultant Aundria Harvell who works for CORL Technologies said in an interview, “I see the benefit of CNN reporting on this, though the cyber incident does not directly affect the U.S.” Harvell added, “It may pique our interest because it involves China, but it never hurts to report on cybersecurity news regardless of where the incident occurred.”
The CNN article mentioned clouds, data, and leaks— these are certain things Harvell has to look for in her day-to-day job. “When you are setting up a database that is hosted by the cloud, you need to implement secure controls immediately at setup. I will say that if the data owner had done this initially, quicker action could have been taken to prevent the data leak. You will find that many issues in cloud security are at the fault of the data owner, something the article does mention,” said Harvell.
With that in mind, the headline should have been more about the owner who didn’t take precautions to catch the breach in time. According to Reuters, shares in Alibaba group (9988.HK) fell the most on July 15th, after the Wall Street Journal reported that the Chinese Tech Cloud division had been summoned by Shanghai authorities in connection with theft of police data. This is the stark reality of the kind of impact media can have on the entities they report on.
Harvell noticed at the end of the article by CNN that a cybersecurity expert presented evidence that a ransom request related to the leaked data appeared to be resolved, “but the database owners had continued to use the exposed database for storing until it was shut down over the weekend.” Harvell said people need to be careful of threat actors who demand ransom. “Even if it seemingly gets resolved, you can never be fully sure of the outcome, as we see in this case,” she added.
The article says the leak was resolved, but it wasn’t shut down until July 1st when the note disappeared, according to CNN. That means the problem was still not fixed. I spoke to Ritik Roongta, a Ph.D. Student at NYU, who said, “In my opinion, it’s not the question of whether the U.S should be worried. The article highlights the casual attitude adopted by various nation-states, including the U.S., in handling the personal data of citizens. There is no regulatory authority to monitor the government.”
In the United States, sensationalism drives stories to get people to read. As journalists, our goal is to gain the reader’s attention but sometimes, the headlines can be dramatic or unethical to get viewers. David Berube, a communications professor, spoke to Reporter Magazine on this issue. “I think the reason the journalist turns to sensationalism is that the readership is so attracted to the dramatic and sensational,” Berube said. “The Greeks discovered years ago that people love drama, and so it becomes the tool that they can use.”
I decided to reach out to some journalists in the United States to get their opinion on why western media heavily reports on cybersecurity attacks in China when most incidents don’t affect the United States. I spoke to CK Smith, a journalist with a local ABC affiliate in Florida, to find out what she thinks. “We live in an increasingly global society, thanks to the internet. While such attacks might not seem to affect the U.S., they will impact us somehow. It could be through financial markets, as cybersecurity issues tend to create instability in the markets, and our trade with China would be affected by this.” According to Wired, after this hack, Apple announced a “Lockdown Mode” for iOS 16 which allows users to operate their phones in a more limited mode if they are in danger of being targeted by spyware.
According to the Embassy of the People’s Republic of China in Canada, “The cyber attack charges, along with other baseless accusations such as those against China’s human rights records, are simply an old political trick played from time to time by a small group of Western countries obsessed with demonizing China and containing its development.” We, the media, bolster such accusations every time we write a sensationalist headline. “What these countries [including the U.S.] don’t realize is that political rumormongering will only hinder the world’s efforts to bolster cybersecurity,” the Embassy published on its website. The U.S. and China will continue to sensationalize anything in cybersecurity to create a rivalry between both countries even though neither country has perfect cybersecurity — nobody does.
Professor Randal Milch, Co-Chair of the NYU Center for Cybersecurity said, “There is no perfect cybersecurity; the question is how much to spend to reasonably account for risks. The cybersecurity breach in China is still something CNN will report back to the USA.” In Milch’s opinion, even a breach in a country as distant as China would count as news to the U.S. government. “Of course, the [U.S. government] should be interested in weaknesses in Chinese cybersecurity,” said Milch.
Milch doesn’t believe that the CNN reporting, and countless other media outlets’ coverage of the issue of the breach, is that impactful. “I think it’s likely the U.S. government knew about this for some time.” Milch doesn’t see the U.S. getting involved in any other way, other than to exploit the information if at all possible.
“As for the ‘hack’ — it really wasn’t a hack: based on the story, people walked through an open door to this information. Bad errors in setting up cloud databases happen all the time, and in fact, are the most common reason for failures in cloud cybersecurity. I agree with the article that failures like these are almost always the fault of the cloud customer, and not the cloud provider,” said Milch. He agrees that sensationalism is used in the title.
Sensationalism, at its core, exaggerates a story beyond what actually occurred. It’s unethical because it creates fear of something that is usually blown out of proportion. It’s not what the news should tell, it’s what will bring more numbers to the network. Sensationalism in China will continue to drive fear into its citizens and shape the American perspective.