In what may be one of the largest known breaches of Chinese personal data, a hacker is offering for sale a Shanghai police database that may contain information on perhaps one billion Chinese citizens.
While it was not immediately possible to verify the scale of the leak, which the hacker said in a forum post included terabytes of information on one billion Chinese people, The New York Times was able to verify parts of a sample of the 750,000 records the hacker released to prove the authenticity of the data.
The unidentified person or group is selling the data for 10 bitcoins, or about $200,000.
In recent years, China’s government has worked hard to tighten controls on a neglected industry that fuels Internet fraud. Yet the focus of this enforcement is often centered on technology companies. The government itself, which has long struggled to adequately protect the troves of data it collects on citizens, is often exempt from strict rules and penalties aimed at Internet companies.
In the past, when smaller leaks have been reported by so-called white-hat hackers who search for and report vulnerabilities, Chinese regulators have warned local authorities to better protect data. However, enforcing discipline is difficult. Because the police operate one of the most invasive surveillance apparatuses in the world, the responsibility for protecting the data collected often falls to local officials who do not have much experience in overseeing data security. As a result, problems persist where databases are left open to the public or made vulnerable due to relatively lax safeguards.
However, the public in China often trusts the authorities’ handling of data and generally views private companies as less trustworthy. Leaks from the government are often heavily censored. Since news of the Shanghai police breach broke and went viral on the internet, it has been mostly censored. Chinese state media did not report on the news.
While it was possible to verify samples provided by the hacker, it has not been determined whether they contain as much data as claimed.
However, the samples released do look genuine. One sample contains the personal information of 250,000 Chinese citizens, including name, gender, address, government-issued social security number and year of birth. In some cases, even occupation, marital status, ethnicity, education level, and whether the person has been designated as a “key person” by the country’s public security ministry can be discovered.
Another example set includes police case records, which include records of reported crimes, as well as personal information such as phone numbers and IDs. The cases date back as far as 1997 to 2019. The other set of samples contained information that appeared to be partial mobile phone numbers and addresses of individuals.
When a Times reporter called the phone numbers of people whose information was in sample police records, four people confirmed the details. Four others who answered the phone confirmed their names before hanging up. None of the people contacted said they had any prior knowledge of the data breach.
In one case, the data provided the name of a man and said he reported a scam to police in 2019 in which he paid about $400 for cigarettes that turned out to be moldy. The person contacted by phone confirmed all the details described in the leaked data.
The Shanghai Public Security Bureau has repeatedly declined to answer questions about the hacker’s claim. Several calls to the Cybersecurity Administration of China went unanswered Tuesday.
On Chinese social media platforms such as Weibo and the communication app WeChat, posts, articles and hashtags about the data leak have been removed. On Weibo, the accounts of users who posted or shared related information were suspended, and others who spoke out said online that they had been asked to visit the police station to chat.
Add Comment