Chinese Police Put Walmart on Notice Over Violation to China’s Cybersecurity Law

By Fran Wang
Fran Wang
Fran Wang
January 9, 2022Updated: January 9, 2022

Walmart has recently struggled in China. After being accused of allegedly halting the sale of products from Xinjiang, the retail giant received a warning issued by Chinese police for alleged breaches of China’s cybersecurity regulations, as the regime tightens its grip on how companies inside its borders process data.

According to a report dated Jan. 5 by state-owned outlet China Quality News Network, police in the southern Chinese city of Shenzhen discovered 19 “vulnerabilities” in Walmart’s network infrastructure in late November, and police have now accused the company of being slow to address the loopholes in violation of China’s cybersecurity laws.

Walmart was ordered to make rectifications, the report said, without mentioning any fines or details of the vulnerabilities.

The news outlet is backed by China’s market regulator, the State Administration for Market Supervision.

The retail giant and the Shenzhen police did not respond to Reuters’ requests for comment by Jan. 7.

At the end of December, China’s anti-graft office accused Walmart and its Sam’s Club retail chain of “stupidity and short-sightedness” after social media users claimed that Sam’s Club had withdrawn Xinjiang-sourced products from its stores.

There is no sign that the Shenzhen police warning is related to the Sam’s Club incident.

The Shenzhen police warning comes amid China’s stepped-up cybersecurity crackdown on how data is collected, stored, and utilized by companies operating in China. Companies must report vulnerabilities in their software to China’s Ministry of Industry and Information Technology (MIIT) within two days of their discovery under a regulation passed last year.

The telecommunications regulator disciplined Alibaba Cloud Computing for failing to first report major flaws in its widely-used logging software.

Alibaba Cloud found a security vulnerability in the popular, open-source logging framework Apache Log4j2, and reported it to the Apache Software Foundation, according to a statement from MIIT in December.

In response, the regulator suspended for six months a cooperative partnership with Alibaba Cloud in the areas of cybersecurity threats and information-sharing platforms, reported a state-backed media 21st Century Business Herald, citing a notice from the regulator.

The report added that Alibaba’s cloud unit would be re-evaluated, and the partnership would be restarted based on the outcome of internal reforms.

The reasons for the suspension included failing to immediately report to the telecoms authority and failing to effectively support the regime in managing network security threats and vulnerabilities.

The laws highlight the central government’s desire to strengthen control over critical online infrastructure and data in the name of national security.

“This vulnerability may allow remote control of equipment, which could result in serious consequences such as the theft of sensitive information, and the disruption of equipment services. It’s a high-threat vulnerability,” MIIT said in a statement on the Apache Log4j2 issue.

Reuters contributed to this report.