Massive Chinese Police Database Hacked/Sold, Gov’t Responds By Trying To Bury The News

(Mis)Uses of Technology

from the china's-national-bird-is-the-third-person-ostrich dept

The problem with gathering tons of sensitive data and storing it indefinitely is sooner or later someone with even worse intentions is going to come looking for it. And China’s massive surveillance apparatus collects oh so much data.

It’s far too tempting to resist. Someone with the guts and audacity to go after one of the most repressive regimes in the world has made a mockery of the government’s security measures and is now, presumably, making a tidy profit. Rachel Cheung has the details for Motherboard.

An anonymous hacker is selling a massive database that allegedly contains the personal information of a billion Chinese citizens, more than two-thirds of the country’s population. 

In a recent post on the cybercrime site Breach Forums, a user going by ChinaDan claimed to offer more than 23 terabytes of data for 10 bitcoin, which is around $200,000. The trove of data was allegedly leaked from a Shanghai police database. 

Researchers and journalists are still trying to verify the hacker’s claims. ChinaDan released 750,000 files, which is still only a very small percentage of the alleged total haul. Some of the criminal records released have been verified, suggesting this reported breach may be legitimate.

Not only is there the potential for massive fraud, what with apparent access to the credentials and other personal information belonging to nearly one billion people, there’s plenty that could be used to embarrass Chinese residents, personally or professionally.

Another file listed 250,000 reports of crime to Shanghai authorities. They include cases of looting, online fraud, and domestic abuse, as well as offenses as petty as a 43-year-old getting an “illegal” handjob for 50 yuan (about $7.5) at a bathhouse in 2004.

And the damage could go further than simply ruining someone financially via regular old identity fraud. This being China, a truly malicious person could theoretically convert stolen credentials into lifetime imprisonment for victims by using this info to fire up accounts on internet services to traffic in anti-government rhetoric.

There’s a private (well… as private as a company can be in China) contractor in the mix as well. Alibaba’s cloud service apparently hosted the database. In a comment to Motherboard, the company said it was aware of the incident and was investigating.

Chinese citizens may be the victims, but they’ll also be the last to know, if the government can do anything about it.

The alleged hack set Chinese social media abuzz for a brief period over the weekend, but by Monday microblogging network Weibo and Tencent’s WeChat had begun to censor the topic.

Hashtags such as “data leak”, “Shanghai national security database breach” and “1 billion citizens’ records leak”, which had amassed millions of views and comments, were blocked on Twitter-like Weibo.

One Weibo user with 27,000 followers said a viral post about the hack had been removed by censors and that she had already been invited by local authorities to discuss the post.

So far, so China. The censorship is in full effect. And the government, which should feel obligated to inform citizens their personal information has possibly been compromised, refuses to discuss the hacking. According to the Financial Times, numerous branches of the Shanghai government have refused to comment on the incident and the agency in charge of national data security (Cyberspace Administration of China) chose not to respond to reporters’ questions.

I realize the Chinese government cares far more about its well-being than the concerns of its billions of constituents, but burying bad news and pretending it isn’t happening is insanely harmful. But, in the end, it will be citizens that are harmed the most, so why should the government care?

Filed Under: china, data breach, leak, police, surveillance