Hackers have put up a Shanghai police database that may contain information about one billion Chinese citizens, which could be one of the largest known breaches of China’s personal data.
Hackers couldn’t immediately see the magnitude of the leak that hackers said in a forum post contained terabytes of information about a billion Chinese, but the New York Times had 750,000 hackers. We were able to confirm some of the sample records released to prove the authenticity of the data.
An unidentified person or group sells the data for 10 Bitcoin (about $ 200,000).
In recent years, the Chinese government has been working hard to tighten control over the leaking industry, which is driving Internet fraud. However, the focus of this enforcement has often been on high-tech companies. Governments themselves, which have long struggled to properly protect the large amounts of data they collect about their citizens, are often exempt from strict rules and penalties for Internet companies.
In the past, when a small leak was reported by a so-called white hat hacker who searches for and reports vulnerabilities, Chinese regulators warned local governments to better protect their data. Still, it was difficult to ensure discipline. As police control one of the most invasive surveillance devices in the world, the responsibility for protecting the collected data often lies with local governments, who have little experience in monitoring data security. As a result, the problem continues that the database remains open to the public or is vulnerable to relatively weak safeguards.
Nonetheless, the general public in China is confident in the handling of data by authorities and usually considers private citizens to be unreliable. Government leaks are often severely censored. It has been mostly censored since the news of Shanghai police violations appeared on the internet and became viral. The Chinese state media has not written about the news.
It was possible to validate the sample provided by the hacker, but it has not been confirmed that it contains as much data as claimed.
Still, the released sample looks real. One sample contained personal information about 250,000 Chinese citizens, including name, gender, address, government-issued ID number, and date of birth. In some cases, you can find out about an individual’s profession, marriage history, ethnicity, education level, and even whether the person is labeled as a “key person” by the State Department of Public Security.
Another sample set included police incident records, including personal information such as phone numbers and IDs, as well as reports of reported crimes. The case was as early as 1997-2019. Other sample sets contained information that looked like an individual’s partial cell phone number and address.
When a Times reporter called the phone number of the person whose information was contained in the sample data of police records, four confirmed the details. The other four who received the call confirmed their names before hanging up. None of the people contacted said they knew about the data breach before.
In one case, the data provided the man’s name and said in 2019 he reported to police a scam that paid about $ 400 for moldy tobacco. The individual contacted by phone confirmed all the details contained in the leaked data.
The Shanghai Public Security Bureau repeatedly refused to answer questions about hacker claims. Multiple calls to China’s Cyber Security Administration were unanswered on Tuesday.
Posts, articles and hashtags about data breaches have been removed on Chinese social media platforms such as Weibo and the communication app WeChat. Weibo states that the account of the user who posted or shared the relevant information has been suspended and other users talking about it have been asked to go to the police station to chat online.
