An anonymous hacker is selling a massive database that allegedly contains the personal information of a billion Chinese citizens, more than two-thirds of the country’s population.
In a recent post on the cybercrime site Breach Forums, a user going by ChinaDan claimed to offer more than 23 terabytes of data for 10 bitcoin, which is around $200,000. The trove of data was allegedly leaked from a Shanghai police database. The data breach, which would be unprecedented in scale if true, has renewed concerns about the vast information Chinese authorities collect from its citizens and the room for abuse when it falls into the wrong hands.
“If legitimate, this would be one of China’s largest data breaches,” Albert Zhang, a cyber policy expert at the think tank Australian Strategic Policy Institute, told VICE World News.
The user released 750,000 records, a fraction of the supposed data, as a sample. One of three files contained the names, phone numbers, addresses, national ID numbers, birthplaces, and birthdays of 250,000 people across the country. Some entries also include their education level and marital status.
Another file listed 250,000 reports of crime to Shanghai authorities. They include cases of looting, online fraud, and domestic abuse, as well as offenses as petty as a 43-year-old getting an “illegal” handjob for 50 yuan (about $7.5) at a bathhouse in 2004.
VICE World News reached out to over a dozen people whose numbers are listed in the leak. All three people who responded to the queries confirmed the information in their police reports. One man confirmed his daughter-in-law was swindled out of nearly 1,500 yuan ($225) after purchasing fake plane tickets online in 2015. Another woman said she reported a robbery at her flat in 2019, as the leaked document stated.
Among the three victims VICE World News spoke to, only one was aware of the data breach, but he did not realize it included his report of a stolen vehicle in 2010. “If a case as old as mine can be dug out, I am indeed worried about my privacy and the potential abuse of the sensitive data,” he said. “I hope something can be done about it, but containing the damage would be very difficult.”
VICE World News also corroborated the names and phone numbers of another four people with the name verification function in Alipay Transfer and their WeChat contacts.
Yi Fuxian, a demographer at the University of Wisconsin-Madison, has been combing through the sample data. He identified people from his home county in the central province of Hunan, who adopt generation names according to their genealogy. He also found records of acquaintances in a neighboring village. “The data covers almost every county in China, including ones in remote areas in Tibet or along the border with India,” he told VICE World News. “It shows the information is likely authentic and not fabricated.”
On the same site, the hacker has also implicated Alibaba Cloud as the host of the Shanghai police database and the source of the leak. The Alibaba Group said it was aware of the incident and was investigating.
Though some of the published information has proven to be real, Zhang warned that there is no way to verify the full dataset, and scams are common on such forums. He also found it suspicious that the hacker asked for a payment in Bitcoin as opposed to cryptocurrencies that are less traceable and often used by other criminals.
However, the disclosure of the sensitive data in the sample alone has warranted fears about the wide-reaching consequence, should it be obtained by cybercriminal organizations or ransomware groups. “The publicly released sample could be used by anyone to create fake identity documents, scam other individuals and organizations and possibly lead to further leaks of corporate and government databases,” Zhang said.
Digital rights and cybersecurity experts also say it is ironic that the source of the database seemed to be the Chinese government, which has been concerned about data security and sought to restrict private companies’ collection of consumer data last year with expansive rules. The state itself is not subject to the same regulations.
“Data protection laws are designed mainly to rein in private companies but ensure exceptions for the state to continue harvesting data for techno-authoritarian growth,” said Michael Caster, Asia digital program manager of the UK-based human rights group ARTICLE 19.
Though China operates an increasingly sophisticated surveillance system, the police’s growing collection of intelligence compounds the risks people face. Despite methods to step up security of servers, the surest way to protect populations against massive leaks of their personal data is to stop both private and state actors alike from gathering it in the first place, Caster added.
But that is unlikely to happen given China’s obsession with harnessing data as a tool for control.
“Despite the legitimate concerns about privacy that people in China sincerely hold and the passing of laws to crackdown on the private sector’s collection, sale, and use of personal data, China’s government structure demands poor data security,” Dakota Cary, a nonresident fellow with the Atlantic Council’s China Hub, told VICE World News.
For instance, WeChat, China’s most popular messaging app, is unencrypted, which allows the Chinese government to read and censor even private messages. In fact, Chinese social media site Weibo has scrubbed posts about the leak and censored a related hashtag by Monday after it briefly trended.
“If China’s censors are successful at deleting related content, most Chinese citizens may never know the breach occurred,” Cary said.