Beijing police said on Tuesday that they have arrested a person suspected of hacking into Chinese Software Develop Net (CSDN) in 2010, causing the leak of millions of people's personal data. Four other suspects involved in separate hacking cases have also been arrested.
The CSDN hacker, who police only identified as Zeng, was captured in Wenzhou, Zhejiang Province on February 4, about 40 days after the website reported the incident to police.
Zeng admitted that he made use of flaws in CSDN's system and entered its database to obtain users' data in April 2010.
CSDN, an IT website with more than 20 million registered users, lost the information of over 6 million users after it was attacked. Dozens of well-known websites and nearly 50 million users have become victims as a result of the leak, as many people used the same names and passwords on multiple websites.
Police found the other four suspects in separate cases while investigating the CSDN incident.
According to China's criminal law, breaking into a computer system is punishable by up to seven years in jail.
Wang, a marketing staff member with CSDN, told the Global Times yesterday that the leak had an instant negative effect on the company, but they reacted promptly.
"We published a statement of apology, closed the background process, and warned our customers to change their passwords," she said, adding that the company has made great efforts to increase security levels in its database.
The Beijing Municipal Public Security Bureau announced yesterday on its official microblog that it has issued a warning to CSDN for not strictly following State regulations on information security.
This is the first such administrative penalty since the regulation on classified computer information security was implemented in 2007.
Zheng Ning, deputy director of the law school at the Communication University of China, described China's Internet network security situation as "unpleasant," though authorities have been putting more efforts into personal information protection.
"To ultimately solve the problem, we still need to establish a new mechanism, including personal data protection acts and a matching regulatory system," he said.