Hackers said they have breached the personal data of 1 billion Chinese citizens from a Shanghai police database and offered it for sale, a leak that, if confirmed, would be one of the largest such exposures in history — but many victims may never learn of it because of censorship.
Hackers claim they breached data on 1 billion Chinese citizens
The data included names, national identification and phone numbers, medical records, details from police reports, and other information. Though the authenticity of the full database had not been confirmed, The Washington Post’s review of some ID numbers appeared to track with information found on a government website.
The alleged hackers said there were several billion police reports — from thefts to fights to domestic violence, dated from the late 1990s to 2019 — included in the leak. The personal information and reported incidents were in separate files.
Despite the scope of the breach — which potentially affects more than 70 percent of China’s 1.4 billion residents — the government was blocking victims from learning about it. On Weibo, a widely used Twitter-like platform in China, a keyword search for “data leak” or “Shanghai police database” failed to return any results related to the breach. A local police department in China’s Henan province retweeted a post about the leak on Saturday, per screenshots circulating on Twitter, but the original post and the retweet have since been deleted. One individual, when reached by The Post, confirmed details of their personal data that had been made public but said they had not known about the leak.
Chinese officials have not released any public statements or notified affected individuals of the breach.
“Normally we’d see an organization either acknowledge it, deny it, or [say they] are investigating further. The radio silence, in data breach land, is a little bit unusual,” said web security consultant Troy Hunt. “In China, maybe less unusual, [because it] seems to control information a little bit differently.”
China tightly controls the flow of sensitive information. Under such constraints, for example, social media companies constantly develop and update keywords to prevent users from posting about certain topics, or remove posts if they initially went undetected.
The breach occurred a year after the nation’s Personal Information Protection Law took effect, imposing stringent security safeguards on corporate and government entities that handle personal information. The law was passed after Chinese regulators ordered the parent companies of more than 40 apps to change their operations for violating data transfer rules, Reuters reported.
People whose sensitive information has been compromised online risk real-world harms such as fraud, harassment and abuse. Quartz reported that many users complained about getting “weird overseas phone calls,” which they suspected were related to the leak.
Kendra Schaefer, the head of tech policy research at China-focused research team Trivium China, said in a Twitter post Monday that the incident was the first major public breach by a government body under the new law. “[S]o it’s unclear who holds who accountable,” she said. The Ministry of Public Security (MSP) would typically oversee cybercrime investigations.
“The records also allegedly contain details on case files of minors,” Schaefer said. “So that would be a violation of the Minor Protection Law.” She raised the possibility that the data contained information of celebrities or officials.
In the released sample data set, certain information was associated with individuals listed under the “seven categories of key people” or “suspect at large,” references to individuals monitored by MSP for suspected criminal activity.
Experts say it is also possible that the files had been online before the law took effect — the breach did not become widely known until the alleged hacker disclosed it online. Cybersecurity researcher Vinny Troia told CNN that he learned of the database in January on a public site, which was opened in April 2021, meaning anyone could have accessed the database since then.
There’s also speculation that government staff members accidentally included the credentials necessary to access the database in a blog post on the Chinese Software Developer Network, a forum for developers to share code. Changpeng Zhao, the chief executive of the cryptocurrency exchange Binance, referenced the theory in a tweet on Monday. He said that the company had “already stepped up verifications” for users who were potentially affected.
The unnamed poster claimed that the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers affiliated with big tech companies, like AliCloud, typically build the digital infrastructure for government agencies.
Alibaba Group did not respond to the request for comment.
But Shawn Chang, the chief executive of security solution provider HardenedVault, found that theory unconvincing. “Shanghai is a city [with 25] million population. AliCloud is unlikely [to use] one key for the whole police system,” he said. He added that the breach could be elsewhere, such as with centralized key management services that failed to go through the authentication process.
Hunt said that the anonymity of the person who offered the sale, as well as the size of the database, raised questions over the accuracy of the claims. The solicitation of a large payout also raises the possibility that the claims have been exaggerated or falsified, he added.
While China has been pursuing extensive upgrades in state surveillance for years, it’s no secret that government entities have poorly managed data systems. “The problem with Chinese government is that they collect all citizens’ data on public service platforms, which had serious consequences once the data was leaked,” Chang said. “Anywhere you go, you have to submit your information. But there is not a systematic way to manage those data. Private companies are also bad at managing data, but are better than the government.”
Earlier this year, a researcher obtained a cache of documents from Xinjiang police, which detailed draconian surveillance and reeducation practices in the region and shed light on Beijing’s crackdown on the Uyghur population.
Data leaks have increased dramatically worldwide. Cybersecurity firm Group-IB identified 308,000 databases that were exposed to the open web in 2021, including the more than 90,000 hosted in the United States, followed by more than 50,000 in China. Most of those exposures, however, were concerned with corporate or private institutions that store employee or customer data.
In contrast, the leak from China’s police database stood out because it was not simply self-reported data such as names and contact information, but detailed summary of reported incidents and criminal suspects coded by the police department.
correction
A quote by Shawn Chang, the CEO of HardenedVault, should have said Shanghai is a city of roughly 25 million population. An earlier version said 250 million.
Source: WP
