“ChinaDan” posted in an online cybercrime forum that they lifted the data of 1 billion Chinese citizens from a Shanghai police database—and they’re selling the entire 24-terabyte trove for 10 bitcoin, or around $200,000. It’d be one of the biggest data breaches ever…if ChinaDan is telling the truth.
To back up his claim, ChinaDan pulled a Costco and handed out a free sample of 750,000 records. It listed names, phone numbers, addresses, and birth dates—including info for at least one minor. The New York Times and the Wall Street Journal separately confirmed parts of the sample matched actual Chinese residents.
At least one crypto company is raising the alarm: Changpeng Zhao, CEO of the cryptocurrency exchange Binance, tweeted that his threat intelligence team had detected that 1 billion resident records “from one Asian country” were for sale on the dark web, and called on other platforms to step up security measures.
Over the years, authorities in China have become expert at amassing digital and biological information on people’s daily activities and social connections. They parse social media posts, collect biometric data, track phones, record video using police cameras and sift through what they obtain to find patterns and aberrations. A Times investigation last month revealed that the appetite of Chinese authorities for regular citizens’ information has only expanded in recent years.
But even as Beijing’s appetite for surveillance has ramped up, authorities have appeared to leave the resulting databases open to the public or left them vulnerable with relatively weak safeguards. In recent years, The Times has reviewed other databases used by the police in China.
China’s government has worked to tighten controls over a leaky data industry that has fed internet fraud. Yet the focus of the enforcement has often centered on tech companies, while authorities appear to be exempt from strict rules and penalties aimed at securing information at internet firms.
Yaqiu Wang, a senior China researcher at Human Rights Watch, said if the government doesn’t protect its citizens’ data, there are no consequences. In Chinese law, “there is vague language about state data handlers having responsibility to ensure the security of the data. But ultimately, there is no mechanism to hold government agencies responsible for a data leak,” she said.
Last year, for example, Beijing cracked down on Didi, China’s equivalent of Uber, after its listing effort on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in the Chinese province of Henan misused data from a Covid-19 app to block protesters last month, officials were largely spared from severe penalties.
When smaller leaks have been reported by so-called white-hat hackers, who search out and report vulnerabilities, Chinese regulators have warned local authorities to better protect the data. Even so, ensuring discipline has been difficult, with the responsibility to protect the data often falling on local officials who have little experience overseeing data security.
Despite this, the public in China often expresses confidence in authorities’ handling of data and typically considers private companies less trustworthy. Government leaks are often censored. News of the Shanghai police breach has also been mostly censored, with China’s state-run media not reporting it.
“In this Shanghai police case, who is supposed to investigate it?” said Ms. Wang of Human Rights Watch. “It’s the Shanghai police itself.”
In the hacker’s online post, samples of the Shanghai database were provided. In one sample, the personal information of 250,000 Chinese citizens — such as name, sex, address, government-issued ID number and birth year — was included. In some cases, the individuals’ profession, marital status, ethnicity and education level, along with whether the person was labeled a “key person” by the country’s public security ministry, could also be found
Zhao Changpeng, CEO of Binance, said on Monday the cryptocurrency exchange had stepped up user verification processes after the exchange’s threat intelligence detected the sale of records belonging to 1 billion residents of an Asian country on the dark web.
He said on Twitter that a leak could have happened due to “a bug in an Elastic Search deployment by a (government) agency”, without saying if he was referring to the Shanghai police case.
He posted again on Twitter later in the day, saying: “apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials”, referring to the China Software Developer Network.
Software company Elastic said it was incorrect to cite it as the source of the breach. The Shanghai government did not immediately respond to a request for comment on Wednesday.
The claim of a hack comes as China has vowed to improve protection of online user data privacy, instructing its tech giants to ensure safer storage after public complaints about mismanagement and misuse.
Last year, China passed new laws governing how personal information and data generated within its borders should be handled.
Zoom out: The Chinese government is known for collecting extensive data on citizens, and a breach of this scale could be “potentially incredibly embarrassing,” cybersecurity research scientist Chester Wisniewski told the AP. After being a hot topic on social media platforms Weibo and WeChat this weekend, related posts, articles, and hashtags have been scrubbed by government censors, and accounts that posted about it were suspended.—JW