According to security researchers, Shanghai’s police database, which contains vast amounts of personal data seized by hackers and groups, has been protected online for months, perhaps the largest known breach of the Chinese government’s computer systems. I didn’t.
A leak revealed after an anonymous user posted on an online forum that offered to sell the personal information of as many as a billion Chinese citizens reveals the privacy risks of the Chinese government’s vast surveillance and security equipment.
Chinese authorities are collecting vast amounts of data about citizens by tracking citizens’ movements, scrutinizing social media posts, and recording DNA and other biological markers. However, even if the state is accumulating more personal data than ever before, it can take time to build safeguards, such as parking the data on an unprotected server. Immediately after the Shanghai database was advertised, another anonymous user posted on an online forum, proposing to sell another police database from Henan Province in central China, and has information on 90 million citizens. Insisted.
In recent years, Chinese citizens have expressed increasing demands for personal privacy and data protection from businesses. If this leak becomes widely known in China, it could fuel public resistance to the government’s collection of personal data. However, the news about the leak was quickly censored and removed from China’s internet and social media platforms. This shows that the government is aware of the explosive nature of the apparent infringement. As of Thursday, hashtags such as “Shanghai Data Leak”, “1 Billion Citizens Leak”, and “Data Leak” remained blocked by the popular Chinese microblogging service Sina Weibo. ..
Paul Triolo, Senior Vice President of China for Strategic Company Albright Stonebridge Group, said: “Given how sensitive this issue is to the general public, it’s not surprising that they’re in full censorship mode.”
Large-scale data breaches are not uncommon, but security researchers say the Shanghai police database stands out both in terms of its size and the confidentiality of some of the information it contains.
Two cybersecurity researchers said they individually validated anonymous user claims that the database contained over 23 terabytes of data covering billions of individuals, in one of the leaked files. He pointed out that it seems to contain nearly 970 million records. They did not rule out the possibility of duplicate entries.
One of them, Vinny Troia, the founder of threat intelligence company Shadowbyte, said he first encountered the database a few months ago. The server was accessible as early as April 2021, according to data from LeakIX, an online platform that traverses public databases over the Internet. It was previously reported by CNN that the Shanghai database was not protected for a long time.
The New York Times has reviewed some of the 750,000 record samples released by an anonymous user named China Dan to prove the authenticity of the data. In addition to the address and ID number, the database contained information about “key persons” identified by police as requiring enhanced surveillance, as well as police reports. In one case, a man was reported to police for raping his 3-year-old granddaughter. In another example, a person was investigated for a petition at Tiananmen Square in Beijing. The sample also included the name and passport number of an American citizen who violated the visa requirements in China.
Nine people who were contacted by phone from the Times confirmed their names and details. None of the people contacted said they had heard of a data breach before.
Some people did not seem to be dissatisfied with the disclosure of their personal information. One man who had a record of police complaints that his daughter was raped by a manager at work in the data posted to the sample set confirmed the accuracy of the record when contacted by phone. .. But he said the episode was a thing of the past and it doesn’t matter if the information is publicly available.
Others have expressed frustration and resignation. Many Chinese are accustomed to surveillance, censorship, and frequent telemarketing calls, and admit that such intrusions come at the cost of convenience and security. Still, they said they needed a safeguard.
“These are files of the general public, so it’s alarming,” said May Peng, a Shanghai saleswoman whose details are included in the sample set. She confirmed that her electric scooter had filed a police report in 2017 when it was stolen, as the data show. “They should be better protected.”
The government has remained silent on the matter. China’s Cyber Security Administration did not respond to fax comment requests. The Shanghai Public Security Bureau refused to answer questions about the database.
The government’s refusal to admit a leak is in contrast to the general practice of other countries where businesses and government agencies are obliged to warn affected users if information is leaked.
Troia, owner of securitydisovery.com, a cybersecurity consultancy, and another researcher, Bob Diachenko, said data in Shanghai was closed until someone set up a gateway that essentially pierces the firewall. He said it was securely stored on the network. They stated that creating such a portal is a common practice among developers as an easy way to access a database, but such gateways should be password protected. rice field.
The gateway to the Shanghai database did not have a password.
Troia said he first encountered a pile of unsecured files in December or January and stood out for its immense size. He said he had downloaded and reviewed a small sample of the file at that time.
Mid-June, Diachenko said, his team left a ransom note that someone copied and destroyed the data and demanded 10 Bitcoins (currently worth about $ 200,000) to recover the information. Until April this year, he said he decided that he could access the database. Security researchers say it is common for malicious attackers to hijack publicly available databases and attempt to blackmail data owners with ransom demands.
It’s unclear if anyone paid to download the entire database. The Times contacted anonymous users this week with no response.
According to security researchers, the vast amount of personal information in Shanghai’s databases could put individuals with disclosed data at risk of extortion, extortion and fraud.
“The more complete a person’s profile, the higher the risk,” said Diachenko. “The possibilities are endless.”
