In what may be one of the biggest known breaches of Chinese personal data, a hacker is offering for sale a database of Shanghai police that could contain information about perhaps a billion Chinese citizens.
Although it was not immediately possible to verify the scale of the leak, which the hacker said in a forum post that included terabytes of information on one billion Chinese, the New York Times was able to verify parts of a sample of 750,000 records of the hacker. Issued to validate the data.
The anonymous person or group is selling the data for 10 Bitcoin, or about $200,000.
In recent years, the Chinese government has worked hard to tighten controls on the leaky industry that has fueled online fraud. However, this app is often focused on technology companies. The government itself, which has long struggled to adequately protect the volume of data it collects on citizens, is often exempt from strict rules and penalties targeting internet companies.
In the past, when smaller leaks were reported by so-called white-hat hackers, who search for and report vulnerabilities, Chinese regulators warned local authorities to better protect data. However, ensuring discipline was difficult. With the police presiding over one of the world’s most intrusive monitoring devices, responsibility for protecting the data collected often falls to local officials who have little experience overseeing data security. As a result, issues persisting with leaving databases open to the public or making them vulnerable due to relatively weak safeguards.
Despite this, the public in China often expresses confidence in the authorities’ handling of data and typically considers private companies to be less trustworthy. Government leaks are often strictly controlled. Since the news of the Shanghai police hack emerged and spread on the Internet, it has mostly been censored. Chinese state-run media did not report on the news.
Although it was possible to verify the samples provided by the hacker, it was not established whether they contained as much data as he claimed.
However, the released samples look real. One sample contained 250,000 personal information for Chinese citizens, including name, gender, address, government-issued identification number and year of birth. In some cases, individuals’ occupation, marital status, ethnicity, education level and whether the person has been classified as a “key person” can be found by the country’s Ministry of Public Security.
Another sample set included police case records, which included records of reported crimes as well as personal information such as phone numbers and IDs. Cases dated from 1997 to 2019. The other sample set included information that appeared to be individuals’ partial mobile phone numbers and addresses.
When a Times reporter called the phone numbers of people whose information was in the police records data sample, four people confirmed the details. Four others who picked up the phone confirmed their names before hanging up. None of the people contacted said they had any prior knowledge about the data leak.
In one case, the data provided the name of a man and said that in 2019 he reported to the police a fraud in which he paid about $400 for cigarettes that turned out to be moldy. The person, contacted by phone, confirmed all the details described in the leaked data.
The Shanghai Public Security Bureau has repeatedly refused to answer questions about the hacker’s claim. Multiple calls to China’s cybersecurity department on Tuesday went unanswered.
On Chinese social media platforms, such as Weibo and communications app WeChat, posts, articles and hashtags about the data leak have been removed. On Weibo, the accounts of users who posted or shared relevant information were suspended, and others who spoke about it online said they were asked to visit the police station to chat.