A Shanghai police database that may include information on one billion Chinese residents has been offered for sale by a hacker, marking what may be one of the greatest known thefts of personal data in China. The database was stolen from the Shanghai police department.
Last week, an anonymous hacker going by the moniker ChinaDan posted a message in an online forum claiming that the database being offered for sale had gigabytes of information on one billion Chinese people. It was not possible to verify how extensive the breach was. The legitimacy of the data was shown by the hacker by releasing a sample of 750,000 records, wherein some of those records were authenticated by the New York Times.
The hacker, who just recently joined the internet forum, is offering to sell the information for 10 Bitcoin, which is equivalent to almost $200,000 USD. The person or organisation in question did not disclose any specifics about the data collection process. The Times attempted to get in touch with the hacker, but they did not hear back from them right away. A duality exists in China, which is brought to light by the hacker’s offer of the Shanghai police database: Despite the fact that the nation has been in the forefront of collecting vast amounts of data on its residents, it has had less success in securing and safeguarding that data.
The Chinese government has been working to strengthen regulations over a data business that has been leaking information and contributing to online fraud. However, the emphasis of the enforcement has often been on technology corporations, while the authorities themselves seem to be free from the stringent laws and penalties that are intended to secure information at internet companies.
According to Yaqiu Wang, a senior China researcher at Human Rights Watch, there are no repercussions for the government if it fails to secure the personal information of its residents. “there is hazy wording regarding state data handlers having obligation to safeguard the security of the data” is found in Chinese legislation; however, this responsibility is not explicitly stated. “However, in the end, there is no system in place to hold government organisations accountable for a data breach,” she added. For instance, Beijing put stricter regulations on Didi, the Chinese version of Uber, when the company attempted to list on the New York Stock Exchange in 2017, citing the potential for sensitive personal information to be compromised as the justification. However, when local authorities in the Chinese province of Henan abused data from a Covid-19 app to prevent demonstrators one month ago, officials were mostly spared from serious punishments for their actions.
Chinese officials have advised local authorities to better safeguard the data whenever minor breaches have been discovered by so-called white-hat hackers, who hunt for and disclose weaknesses. White-hat hackers look for holes and report them. Even however, maintaining discipline has proven to be challenging due to the fact that the job of safeguarding the data has often been delegated to local authorities who have less expertise supervising data security.
In spite of this, the general population in China often has a higher level of trust in the way that the government handles data, while they have a lower level of trust in private firms. Leaks from the government are often edited or controlled. The information on the breach that occurred inside the Shanghai police department has also been largely restricted, since the state-controlled media in China has not reported it.
Samples of the Shanghai database were supplied in the hacker’s online post, which was found on the website. In one of the samples, the personal information of 250,000 Chinese individuals was included. This information includes the citizens’ names, sexes, addresses, birth years, and government-issued ID numbers. In certain instances, it was possible to find out the people’ professions, marital statuses, ethnicities, and levels of schooling, in addition to determining whether or not the individual was considered a “important person” by the country’s ministry of public security.
Another set of samples had police case data, which included not just documentation of the crimes that were recorded, but also personal information such as phone numbers and identification numbers. The instances spanned the time period from 1997 all the way up to 2019. The information that looked to be incomplete mobile phone numbers and addresses of persons was included in the other sample batch of data.
Four individuals validated the facts when a reporter for The Times phoned the phone numbers of persons whose information was included in the sample data of police records. Before hanging up, four more people affirmed that their names were correct. None of the individuals who were contacted admitted that they had any prior awareness of the data breach.
In one instance, the data presented the identity of a guy and said that, in 2019, he reported to the police an incident of fraud in which he paid around four hundred dollars for cigarettes that turned out to be mouldy. When contacted by phone, the subject confirmed the information that was included in the compromised data.
In response to questioning about the hacker’s allegation, Shanghai’s Public Security Bureau did not provide a response. On Tuesday, the Cybersecurity Administration of China did not return any of the calls that were sent to them.
Posts, articles, and hashtags relating to the data breach have been deleted from Chinese social media sites including Weibo and the messaging app WeChat. Accounts of users who posted or shared similar material on Weibo have been suspended, and other users who discussed it online have reported that they have been called to attend the police station for a conversation as a result of their participation in the discussion.
