A large Shanghai police database containing a large collection of personal data seized by a hacker or group has been kept online and insecure for months, security researchers say. Is the biggest violation of computer systems.
This leak, which came to light after an anonymous user Posted in an online forum. The offer to sell the personal information of more than one billion Chinese citizens exposes the Chinese government’s extensive surveillance and security device security threats.
Authorities in China Collect a large amount of data On citizens by Tracking their movementsScoring their social media posts and Recording their DNA And other biological markers. Yet while the state collects the maximum amount of personal data, it has sometimes been slow to take security measures, such as parking it on insecure servers. Shortly after the Shanghai database was advertised, another anonymous user posted on an online forum offering to sell a separate police database from the central Chinese province of Hainan, claiming that its Has information about 90 million citizens.
Chinese citizens in recent years Expressed growing demands. To protect privacy and data from companies. The leak, if it becomes widely known within China, is likely to provoke public resistance to the government’s collection of private data. But news of the leak has been increasingly censored and removed from Chinese Internet and social media platforms, a sign that the government acknowledges the explosive nature of the apparent violation. As of Thursday, hashtags such as “Shanghai Data Leak,” “One Billion Citizens Data Leak” and “Data Leak” remained blocked on Sina Weibo, a popular Chinese microblogging service.
“It has left a big black eye for the Chinese public security world and for the Chinese government through expansion,” said Paul Trevolo, China’s senior vice president at the Albright Stonebridge Group, a strategy firm. “It is not surprising that they have gone into full censorship mode, given how sensitive this issue is to the public.”
Security researchers say that while big data leaks are not uncommon, the Shanghai Police database is significant for both its scale and the highly sensitive nature of some of the information it contains.
Two cybersecurity researchers say they have separately confirmed anonymous user claims that the database contains more than 23 terabytes of data, including one billion people, noting that leaked files One of them contained about 970 million records. He did not rule out the possibility of duplicate entries.
One of them, Vanity Troy, founder of the threatening intelligence company Shadow Byte, said he first stumbled upon a database months ago. Data from Leak IX, an online platform that trolls the Internet for exposed databases, shows that the server was accessible as early as April 2021. Earlier, CNN reported that the Shanghai database had long been insecure.
The New York Times has confirmed parts of a sample of 750,000 records released by an anonymous user, known as China Dan, to verify the data. In addition to addresses and identification numbers, the database contained information about “important people” identified by the police that required strict surveillance, as well as police reports. In one case, a man reported abusing his 3-year-old granddaughter to police. In another, a man was interrogated in Beijing’s Tiananmen Square on a request. The sample also included the names and passport numbers of US citizens who had violated their visa requirements in China.
Nine people who reached out to the Times by telephone confirmed their names and details. None of the people contacted contacted said they had heard of the data leak before.
Some seemed reluctant to divulge their personal information. A man whose complaint to the police that his daughter had been abused by his work manager was among the data posted in the sample set, confirmed the accuracy of the record when reached by phone. But he said the incident happened in the past and it doesn’t matter if the information is general.
Others expressed frustration and resigned. Many Chinese have become accustomed to surveillance, censorship and repeated telemarketing calls, acknowledging that such intervention is costly. Still, he said, security measures are needed.
“This is worrying because these are public files,” said May Peng, a saleswoman in Shanghai, whose details were also in the sample set. He confirmed that, as the data shows, he filed a police report in 2017 when his electric scooter was stolen. “They should be better protected.”
The government has remained silent on the issue. China’s Cybersecurity Administration did not respond to a request for comment. The Shanghai Public Security Bureau declined to comment on the database.
The government’s refusal to recognize leaks is contrary to common practice in other countries, with companies and government agencies often obliged to warn affected users if their information is leaked.
Mr Troya and another researcher, Bob Dyachenko, owner of SecurityDiscovery.com, a cybersecurity consultancy, said Shanghai data was stored securely on a closed network unless a gateway was set up. Who must have drilled through the firewall. He said it was common practice among developers to create such portals for easy access to the database, but such gateways should be password protected.
The gateway to the Shanghai database did not have a password.
Mr Troy said he first saw the insecure repository of files in December or January, and that it was notable for its large size. He said he had downloaded and reviewed a small sample of files at the time.
Mr Dyachenko said his team had determined that the database was accessible in early April to mid-June this year when someone copied and destroyed the data and used it to collect information. Bitcoin left a ransom note, demanding a current price of about ً 200,000. Security researchers say it is common for malicious actors to hijack exposed databases and seek ransom from data owners.
It is not clear if anyone paid for the entire database and downloaded it. The Times contacted an anonymous user this week but received no response.
Security researchers say the large amount of personal information in the Shanghai database could put them at risk of extortion, blackmail or fraud.
“The more complete a person’s profile you have, the more dangerous he is,” Mr Dyachenko said. “The possibilities are endless.”