A Shanghai police database containing a vast trove of personal data entered by a hacker or group has been left online, unsecured, for months, security researchers have said, in what is likely the most major known breach of Chinese government computer systems.
The leak, which came to light after an anonymous user posted on an online forum offering to sell the personal information of one billion Chinese citizens, exposes the privacy risks of the country’s vast surveillance and security apparatus. Chinese government.
Chinese authorities collect large amounts of data on citizens by tracking their movements, scanning their social media posts and recording their DNA and other biological markers. Yet even as the state accumulates ever-increasing amounts of personal data, it has sometimes been lax in putting safeguards in place, such as parking it on unprotected servers. Shortly after the Shanghai database announcement, another anonymous user posted an offer to sell a separate police database from the central Chinese province of Henan in an online forum, claiming to hold information on 90 million citizens.
Chinese citizens have expressed increasing demands for privacy and data protection from companies in recent years. This leak, if it became widely known in China, would most likely also fuel public resistance to government collection of private data. But information about the leak was quickly censored and removed from Chinese internet and social media platforms, a sign that the government recognizes the explosive nature of the apparent breach. On Thursday, hashtags such as “Shanghai data leak”, “Billion citizen data leak” and “Data leak” remained stuck on Sina Weibo, a popular microblogging service in China.
“It left a big black eye for the Chinese public security world and, by extension, the Chinese government,” said Paul Triolo, senior vice president for China at Albright Stonebridge Group, a strategy firm. “It’s no surprise they’ve gone into full censorship mode given how sensitive this issue is to the public.”
Although large data leaks are not uncommon, the Shanghai Police database stands out both for its scale and for the highly sensitive nature of some of the information included, security researchers said.
Two cybersecurity researchers said they separately verified the anonymous user’s claims that the database included more than 23 terabytes of data covering up to a billion individuals, noting that one of the leaked files appeared to contain nearly of 970 million records. They did not rule out the possibility of duplicate entries.
One of them, Vinny Troia, founder of Shadowbyte, a threat intelligence firm, said he came across the database months ago. Data from Leak IX, an online platform that scours the internet for exposed databases, shows that the server was accessible as early as April 2021. The revelation that the Shanghai database was insecure for a long time was reported earlier by CNN.
The New York Times confirmed parts of a sample of 750,000 records that the anonymous user, who goes by the name ChinaDan, posted to prove the authenticity of the data. In addition to addresses and identification numbers, the database included information on “key people” identified by police as requiring increased surveillance, as well as police reports. In one case, a man was reported to police for raping his 3-year-old granddaughter. In another case, a person was investigated for petitioning in Tiananmen Square in Beijing. The sample also included the names and passport numbers of US citizens who violated the terms of their visas in China.
Nine people reached by the Times by telephone confirmed their names and contact details. None of those contacted said they had ever heard of the data leak.
Some seemed indifferent to the disclosure of their personal information. A man, whose record of a police complaint that his daughter was raped by her work boss was among the data released in the sample, confirmed the accuracy of the record when reached by phone . But he said the episode was in the past and it didn’t matter that the information was public.
Others expressed frustration and resignation. Many Chinese have grown accustomed to surveillance, censorship and frequent telemarketing calls, accepting that such intrusions come at the expense of convenience and security. Still, they said, safeguards are needed.
“It’s alarming because these are the files of ordinary people,” said May Peng, a saleswoman in Shanghai whose contact details were also in the sample. She confirmed that, as the data showed, she filed a police report in 2017 when her electric scooter was stolen. “They should be better protected.”
The government has remained silent on the issue. The Cybersecurity Administration of China did not respond to a faxed request for comment. The Shanghai Public Security Bureau declined to answer questions about the database.
The government’s refusal to acknowledge the leak contrasts with common practice in other countries, under which companies and government agencies are often obligated to alert affected users if their information has been leaked.
Mr Troia and another researcher, Bob Diachenko, owner of SecurityDiscovery.com, a cybersecurity consultancy, said the Shanghai data was stored securely on a closed network until someone put it down. put up a gateway that basically punched a hole in the firewall. They said that creating such portals was a common practice among developers as a way to easily access a database, but that such gateways should be password protected.
The gateway to the Shanghai database did not have a password.
Mr. Troia said he first discovered the treasure trove of unsecured files in December or January, and stood out for its large size. He said he downloaded and reviewed a small sample of the files at the time.
Mr Diachenko said his team determined that the database was accessible from April this year until mid-June when someone copied and destroyed the data and left a ransom note demanding 10 Bitcoins. , currently worth about $200,000, for information recovery. Security researchers say it is common for malicious actors to hijack exposed databases and attempt to extort data owners with ransom demands.
It is unclear if anyone paid for and downloaded the entire database. The Times contacted the anonymous user this week but did not receive a response.
Security researchers say the large amount of personal information in the Shanghai database could put people whose data has been exposed at risk of extortion, blackmail or fraud.
“The more complete a person’s profile you have, the more dangerous they are,” Diachenko said. “The possibilities are limitless.”