EXECUTIVE SUMMARY:
For the price of roughly $200,000, an individual is selling personal data that purportedly belongs to a billion Chinese citizens. Initial data samples and analyses suggest that the data is the real-deal. Persons listed within the database have confirmed their information’s authenticity. If confirmed, this may be among the largest data breaches in history.
What happened
The data is believed to have been stolen from a Shanghai police database. A hacker, whose online handle is ChinaDan, wrote in an online forum last week that the data includes 22 terabytes worth of information. The New York Times has since determined that at least a portion of the data (750,000 records) appear to be real.
How it happened
The data was exfiltrated via a local private cloud provided by Aliyun (Alibaba Cloud), part of the Chinese police network or public security network. The leak may have occurred due to an ElasticSearch database that a government agency accidentally exposed online.
CEO of Binance, Zhao Changpeng, later added that “apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials.”
Types of information in the data leak
- Full names
- Addresses
- Government issued ID numbers
- Birth year
In some instances, a person’s profession, marital status, education level, ethnicity and whether or not the person was considered a “key person” by the nation’s public security ministry, could also be seen.
A different data sample set included police case records, phone numbers and IDs, which dated from 1997 through 2019. Yet another data sample included portions of cell phone numbers and home addresses.
Confirmation of data authenticity
Investigative journalists have attempted to determine the authenticity of the data by calling individuals listed in the database and asking relevant questions. For example, the data gave the name of a man who reported a scam to the police in 2019. When reached by phone, the individual confirmed the details as described in the stolen data.
Social media platforms
Chinese social media platforms appear to have removed articles and hashtags that mention the data leak. For users that have shared information about the leak, Weibo accounts have been suspended. Others noted that mentioning the issue online has resulted in authorities’ requests for them to visit the local police station.
Data protection
According to the New York Times, the public in China generally expresses confidence in and around authorities’ safeguarding of data. Many consider private companies less deserving of trust.
When security researchers have discovered and reported smaller data leaks involving data managed by Chinese authorities, national regulators have warned local groups about taking stronger steps to protect the data.
A senior China researcher at Human Rights Watch, notes that in Chinese law, “there is vague language about state data handlers having responsibility to ensure the security of data. But ultimately, there is no mechanism to hold government agencies responsible for a data leak.”
For more on this story, please visit The New York Times. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.
