In what is arguably one of the largest known breaches of Chinese personal data, a hacker has offered to sell a Shanghai police database that could contain information on perhaps a billion Chinese citizens.
The unidentified hacker, who goes by the name ChinaDan, posted to an online forum last week that the for-sale database contained terabytes of information about one billion Chinese. The extent of the leak could not be verified. The New York Times confirmed parts of a sample of 750,000 records that the hacker released to prove the data’s authenticity.
The hacker, who joined the online forum last month, is selling the data for 10 Bitcoin, or about $200,000. The individual or group did not provide details on how the data was obtained. The Times contacted the hacker via email, although it could not be delivered because the address appeared to be incorrect.
The hacker’s offer from Shanghai’s police database highlights a dichotomy in China: While the country has been at the forefront of collecting masses of information about its citizens, it has been less successful in securing and securing that data.
Over the years, authorities in China have become experts at collecting digital and biological information about people’s daily activities and social connections. They parse social media posts, collect biometric data, track phones, record video with police cameras and search what they get find patterns and deviations. A Times investigation last month found that Chinese authorities’ interest in mainstream citizen information has only increased in recent years.
But even as the need for surveillance in Beijing has increased, authorities appear to be leaving the resulting databases open to the public or making them vulnerable with relatively weak safeguards. In recent years, The Times has reviewed: other databases used by the police in China.
The Chinese government has been working to tighten controls on a leaky data industry that has fueled internet fraud. Still, enforcement has often focused on technology companies, while authorities appear to be exempt from strict rules and sanctions aimed at safeguarding information at internet companies.
Yaqiu Wang, a senior China researcher at Human Rights Watch, said if the government doesn’t protect its citizens’ data, there will be no consequences. Under Chinese law, “there is vague language about state data handlers responsible for data security. Ultimately, however, there is no mechanism to hold government agencies accountable for a data breach,” she said.
Last year eg. Beijing takes Didi . at, China’s equivalent of Uber, after its IPO on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in China’s Henan province misused data from a Covid-19 app to block protesters last month, officials were largely spared harsh sentences.
When smaller vulnerabilities have been reported by so-called white-hat hackers, who detect and report vulnerabilities, Chinese regulators have warned local authorities to better protect the data. Still, it was difficult to maintain discipline, as the responsibility to protect the data often rests with local officials who have little experience in overseeing data security.
Despite this, the public in China often expresses confidence in authorities’ handling of data and tends to view private companies as less reliable. Government leaks are often censored. News of the police breach in Shanghai has also been largely censored, with Chinese state media not reporting it.
“Who should investigate in this Shanghai police case?” said Ms. Wang of Human Rights Watch. “It’s the Shanghai police force itself.”
Samples from the Shanghai database were provided in the hacker’s online post. One sample included the personal information of 250,000 Chinese citizens — such as name, gender, address, government-issued ID number, and year of birth. In some cases, the person’s occupation, marital status, ethnicity, and level of education, along with whether the person was labeled a “important person” by the country’s Ministry of Public Security, could also be found.
Another sample set included police files, including reports of reported crimes, as well as personal information such as phone numbers and IDs. The cases date back as far as 1997 to 2019. The other sample set contained information that resembled partial cell phone numbers and addresses of individuals.
When a Times reporter called the phone numbers of people whose information was in the sample police file data, four people confirmed the details. Four others confirmed their names before hanging up. None of the people contacted said they had any prior knowledge of the data breach.
In one case, the records provided a man’s name and said he filed a complaint with the police in 2019 for a scam where he paid about $400 for cigarettes that turned out to be moldy. The person, reachable by phone, confirmed the details described in the leaked data.
The Shanghai Public Security Bureau declined to respond to questions about the hacker’s claim. Calls to China’s Cybersecurity Administration went unanswered on Tuesday.
Posts, articles and hashtags about the data breach have been removed on Chinese social media platforms, such as Weibo and the communication app WeChat. On Weibo, accounts of users who posted or shared related information have been suspended and others who spoke about it have said online that they were asked to visit the police station for a chat.