Chinese Police Database Wasn’t Secure Long Before It Was Seized

A Shanghai police database with a large amount of personal data that was seized by a hacker or group sat online, unprotected, for months, security researchers said, in what is likely the biggest known breach. of Chinese government computer systems.

The leak, which came to light after an anonymous user posted on an online forum offering to sell the personal information of up to one billion Chinese citizens, exposes the privacy risks of the Chinese government’s vast surveillance and security apparatus. .

Authorities in China collect vast amounts of data on citizens by tracking their movements, reviewing their social media posts, and recording their DNA and other biological markers. Yet even as the state amasses ever-increasing amounts of personal data, it has sometimes been negligent in erecting safeguards, such as by leaving it on unprotected servers. Shortly after the Shanghai database was announced, another anonymous user posted on an online forum offering to sell a separate police database for the central Chinese province of Henan, claiming to have information on 90 million citizens.

In recent years, Chinese citizens have expressed increasing demands for personal privacy and data protection from companies. This leak, if it became widely known in China, would very likely also fuel public resistance to the government’s collection of private data. But news of the leak was quickly censored and removed from Chinese internet and social media platforms, a sign that the government recognizes the explosive nature of the apparent leak. As of Thursday, hashtags such as “Shanghai Data Leak,” “Billion Citizens Data Leak,” and “Data Leak” were still blocked on Sina Weibo, a popular Chinese microblogging service.

“It has left a huge black eye for the Chinese public security world and, by extension, the Chinese government,” said Paul Triolo, senior vice president for China at Albright Stonebridge Group, a strategy firm. “It is not surprising that they have gone into full censorship mode given how sensitive this issue is to the public.”

While large data breaches are not uncommon, the Shanghai police database is notable for both its scale and the highly sensitive nature of some of the information included, security researchers said.

Two cybersecurity researchers said they had separately verified the anonymous user’s claims that the database included more than 23 terabytes of data covering up to a billion people, noting that one of the leaked files appeared to contain nearly 970 million people. records. They did not rule out the possibility of duplicate entries.

One of them, Vinny Troia, founder of Shadowbyte, a threat intelligence company, said he first came across the database months ago. Data from Leak IX, an online platform that scours the internet for exposed databases, shows that the server has been accessible since April 2021. The revelation that the Shanghai database had not been secure for a long time was previously reported by CNN.

The New York Times confirmed parts of a sample of 750,000 records that the anonymous user, who calls himself ChinaDan, posted to test the authenticity of the data. In addition to addresses and identification numbers, the database also included information on “key persons” identified by the police who required further surveillance, as well as police reports. In one case, a grandfather was reported to the police for raping his 3-year-old granddaughter. In another, a person was investigated for filing a petition in Tiananmen Square in Beijing. The sample also included the names and passport numbers of US citizens who violated the terms of their visas in China.

Nine people contacted by The New York Times by phone confirmed their names and details. None of the people contacted said that they had previously heard of the data leak.

Some seemed unfazed by the exposure of their personal information. One man, whose record of a police complaint that his daughter had been raped by his work manager was among the data published in the sample set, confirmed the accuracy of the record when contacted by phone. . But he said the episode was in the past and it didn’t matter if the information was public.

Others expressed frustration and resignation. Many Chinese have grown accustomed to surveillance, censorship and frequent telemarketing calls, accepting that such intrusions were the cost of comfort and security. Still, they said, there needs to be safeguards.

“It’s alarming because these are the files of ordinary people,” said May Peng, a seller in Shanghai whose details were also in the sample set. She confirmed that, as her data showed, she had filed a police report in 2017 when her electric scooter was stolen. “They should be better protected.”

The government has remained silent on the matter. The Cyber ​​Security Administration of China did not respond to a faxed request for comment. The Shanghai Public Security Bureau declined to answer questions about the database.

The government’s refusal to acknowledge the breach contrasts with common practice in other countries, whereby companies and government agencies are often required to alert affected users if their information has been leaked.

Mr Troia and another researcher, Bob Diachenko, owner of, a cybersecurity consultancy, said the Shanghai data had been safely stored on a closed network until someone installed a gateway that essentially punctured the firewall. They said that creating such portals was common practice among developers as a way to gain easy access to a database, but that such gateways should be password protected.

The gateway to the Shanghai database had no password.

Mr. Troia said he first came across the trove of unsecured files last December or January, and that it was notable for its sheer size. He said that he downloaded and reviewed a small sample of the files at the time.

Mr. Diachenko said his team had determined that the database was accessible from April this year until mid-June, when someone copied and destroyed the data and left a ransom note demanding 10 Bitcoin, currently worth about $200,000, for the recovery of the information. . Security researchers say it’s common for malicious actors to hijack exposed databases and try to extort ransom demands from data owners.

It is not clear if anyone paid and downloaded the entire database. The Times contacted the anonymous user this week but received no response.

Security researchers say the large amount of personal information contained in the Shanghai database could put people whose data was exposed at risk of extortion, blackmail or fraud.

“The more complete a person’s profile, the more dangerous he is,” Diachenko said. “The possibilities are endless.”

Leave a Comment

Your email address will not be published.