In what may be one of the largest known leaks of Chinese personal data, a hacker is offering for sale a Shanghai police database that could contain information on perhaps a billion Chinese citizens.
Although it was not immediately possible to verify the magnitude of the leak, which the hacker said in a forum post included terabytes of information on a billion Chinese, The New York Times was able to verify portions of a sample of 750,000 hacker records. released to prove the authenticity of the data.
The unidentified person or group is selling the data for 10 Bitcoin, or around $200,000.
In recent years, China’s government has worked hard to tighten controls on a leaky industry that has fueled internet fraud. However, the focus of this app has often been on technology companies. The government itself, which has long struggled to adequately protect the vast amount of data it collects on citizens, is often exempt from strict rules and penalties targeting Internet companies.
In the past, when smaller leaks were reported by so-called white hat hackers, who search for and report vulnerabilities, Chinese regulators warned local authorities to better protect the data. Still, ensuring discipline has been difficult. With the police presiding over one of the most invasive surveillance apparatuses in the world, the responsibility for protecting collected data often falls to local officials who have little experience overseeing data security. As a result, problems have persisted with databases being left open to the public or made vulnerable due to relatively weak safeguards.
Despite this, the public in China often expresses confidence in the authorities’ handling of data and generally views private companies as less trustworthy. Government leaks are often closely censored. Since news of the Shanghai police rape broke and went viral on the internet, it has been mostly censored. Chinese state media have not written about the news.
Although it was possible to verify the samples provided by the hacker, it has not been established whether it contains as much data as he claims.
Even so, the published samples appear to be real. One sample contained personal information on 250,000 Chinese citizens, including name, gender, address, government-issued identification number, and year of birth. In some cases, it was even possible to find out the person’s profession, marital status, ethnicity, level of education and whether the person has been qualified as a “key person” by the country’s ministry of public security.
Another set of samples included police case records, which included records of reported crimes, as well as personal information such as phone numbers and IDs. The cases date from 1997 to 2019. The other set of samples contained information that appeared to be the individuals’ mobile phone numbers and partial addresses.
When a Times reporter called the phone numbers of people whose information was in the sample data from police records, four people confirmed the details. Four others who answered the phone confirmed their names before hanging up. None of the people contacted said they had prior knowledge of the data leak.
In one case, the data provided the name of a man and said that, in 2019, he reported a scam to police in which he paid about $400 for cigarettes that turned out to be moldy. The individual, contacted by phone, confirmed all the details outlined in the leaked data.
The Shanghai Public Security Bureau repeatedly refused to answer questions about the hacker’s claim. Multiple calls to the Cyber Security Administration of China went unanswered on Tuesday.
On Chinese social media platforms such as Weibo and the WeChat communication app, posts, articles and hashtags about the data leak were removed. On Weibo, the accounts of users who posted or shared related information were suspended, and others who spoke about it said online that they were asked to visit the police station for a chat.