Hackers claim to have breached the data of one billion Chinese residents from the police
The data included names, national identities, phone numbers, medical records, details from police reports, and other information. Although the authenticity of the full database has not been confirmed, The Post’s review of some ID numbers appears to be tracking with information on a government website.
Alleged intruders He said there are several billion reports of cases — from robberies to fights against domestic violence, dated from the late 1990s to 2019 — and records of one billion Chinese citizens. If validated, the database would cover more than 70 percent of China’s 1.4 billion population. Personal information and reported incidents were included in separate files.
Despite the scope, the government was preventing victims from learning about the leak. On Weibo, a Twitter-like platform widely used in China, a keyword search for “data leak” or “Shanghai police database” failed to return any hack-related results. One affected individual, in an interview with The Post, confirmed details of the record linked to them but was unaware of the leak.
Analysis: Here are four big questions about the massive leak of the Shanghai police
The breach came after China’s Personal Information Protection Law came into effect last year, which imposed strict security safeguards on companies and government entities that handle personal information. The law was passed after Chinese regulators ordered more than 40 companies to change it Their operations to violate the rules of data transmission, Reuters reported.
Kendra Schaefer, Head of Technology Policy Research at Trivium China, a China-focused research team, He said in a post on Twitter On Monday, the incident was the first major public breach by a government body under the new law. “So it’s not clear who is responsible,” she said. The Ministry of Public Security (MSP) usually oversees investigations into cybercrime.
“The records also allegedly contain details about minors’ case files,” Schaefer said. “So this would be a violation of the Protection of Minors Act.” It raised the possibility of the data containing information of celebrities or officials.
In the released sample dataset, some information was associated with individuals included in the “Seven Categories of Principal Persons”, referring to individuals who were monitored by MSP for suspected criminal activity.
State departments, the Shanghai government and the Shanghai Police Department did not respond to requests for comment.
However, it’s also possible that the files were on the internet before the law took effect – it wasn’t until the alleged hacker released them online that they gained public attention. Cybersecurity researcher Vinny Troia told CNN that the database was notified in January on a public site, which opened in April 2021, meaning anyone can access the database since then.
There is also speculation that government employees accidentally included the credentials needed to access the database in a blog post on the China Developer Network, a forum for developers to share code. Changpeng Zhao, CEO of crypto exchange Binance, referred to the theory in a tweet on Monday. He said the company had “already stepped up verifications” of potentially affected users.
The unnamed poster claimed that the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers of major tech companies, such as AliCloud, typically build the digital infrastructure for government agencies.
Alibaba Group did not respond to a request for comment.
But Sean Chang, CEO of security solutions provider HardenedVault, found the theory unconvincing. Shanghai is a city [with] 250 million people. AliCloud is unlikely [to use] One key to the entire police system. He added that the breach could be elsewhere, such as central key management services failing to follow through on the authentication process.
Web security consultant Troy Hunt said the anonymity of the person who offered the sale, as well as the size of the database, raised questions about its accuracy. He added that the request for significant compensation also raises the possibility of exaggeration or fraud of the claim.
The data was also robust, Hunt said, “because it is a very unique category of information.” Unlike self-reported names and phone numbers while filling out an online form – which have been seen in other data breaches – police reports would have been “only in one place”.
It’s no secret that government entities in China have poorly managed data systems. Zhang said, “The problem with the Chinese government is that it collects the data of all citizens on public service platforms, which has had serious consequences once the data is leaked. Anywhere you go, you have to provide your information. But there is no systematic way to manage this data. Private companies are bad at managing data, but they are better than government.”
Earlier this year, a researcher obtained a cache of documents from Xinjiang police, which detail harsh surveillance and re-education practices in the region and highlight Beijing’s crackdown on the Uyghur population.