Chinese police database was left unsecured long before hackers seized it

The leak exposes the privacy risks of the Chinese government's vast surveillance and security apparatus. PHOTO: ST FILE
Updated
Jul 08, 2022, 08:31 AM
Published
Jul 08, 2022, 07:05 AM

BEIJING (NYTIMES) - A Shanghai police database with a vast trove of personal data that was seized by a hacker or group had been left online, unsecured, for months, security researchers said, in what is probably the largest known breach of Chinese government computer systems.

The leak, which came to light after an anonymous user posted in an online forum offering to sell the personal information of as many as 1 billion Chinese citizens, exposes the privacy risks of the Chinese government's vast surveillance and security apparatus.

Authorities in China collect vast amounts of data on citizens by tracking their movements, scouring their social media posts, and recording their DNA and other biological markers.

Yet even as the state amasses ever greater amounts of personal data, it has sometimes been lax in erecting safeguards.

Chinese citizens have in recent years expressed growing demands for personal privacy and data protection from companies.

This leak, if it became widely known within China, would most likely fuel public resistance to the collection of private data by the government as well.

But news about the leak has been swiftly censored and removed from the Chinese internet and social media platforms, a sign that the government recognises the explosive nature of the apparent breach.

"It's left a big black eye for the Chinese public security world, and by extension the Chinese government," said Paul Triolo, senior vice-president for China at Albright Stonebridge Group, a strategy firm. "It's not surprising they've gone into full censorship mode given how sensitive this issue is for the public."

While large data leaks are not uncommon, the Shanghai police database stands out both for its scale and the highly sensitive nature of some of the information included, security researchers said.

Two cybersecurity researchers said they had separately verified the anonymous user's claims that the database included over 23 terabytes of data covering as many as 1 billion individuals, noting that one of the leaked files appeared to contain nearly 970 million records. They did not rule out the possibility of duplicate entries.

The government has kept silent on the matter. The Cybersecurity Administration of China did not respond to a faxed request for comment. Shanghai's public security bureau declined to respond to questions about the database.

It is unclear if anyone has paid for and downloaded the entire database.

More On This Topic
Hacker claims major Chinese citizens' data theft, starts selling at $280k
China's new breed of hackers blends espionage and entrepreneurship

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top