Data leak of a billion Chinese nationals questions Xi's 'so-called' claims of data security
Jul 09, 2022
Hong Kong, July 9 : Despite China's claims of spending huge sums on the country's data security, the latest data leak of the Shanghai police database including personal data of nearly a billion citizens enraged anxiety among Chinese nationals, who accused the government of intentionally putting their personal data at risk.
The information came to light after an unknown user in a hacker forum informed the world that he found the data of nearly a billion citizens lying free for anyone to hack or misuse, exposing the privacy risk of the Chinese government's vast surveillance. The data was found lying unsecure online for nearly a year, the HK Post reported.
According to the user who informed about the data leak, it was allegedly the Shanghai police who collated the data and "it contained sensitive information on one billion Chinese nationals, including their names, addresses, mobile numbers, national ID numbers, ages and birthplaces, as well as billions of records of phone calls made to police to report on civil disputes and crimes".
The media report said that the news was reportedly widely circulated on Chinese media sites which outraged the citizens. But, within a few hours of the news, the hashtag "data leak' was reported blocked on the Weibo platform, a sign that Chinses government does not want the news to spread.
It came as a shocker for Chinese President Xi Jinping. A report from Xinhua quoted Xi while he was speaking about data at a conference, "It is necessary to safeguard the country's data security, protect personal information and business secrets, and promote the efficient circulation and use of data so as to empower the real economy," Xi said.
The HK Post quoted a CNN report, which said that the vast trove of Chinese personal data had been publicly accessible via what appeared to be an unsecured backdoor link, a shortcut web address that offers unrestricted access to anyone with knowledge of it, since at least April 2021, according to LeakIX, a site that detects and indexes exposed databases online.
"Access to the database, which did not require a password, was shut down after an anonymous user advertised the more than 23 terabytes (TB) of data for sale for 10 bitcoin -- roughly USD 200,000 -- in a post on a hacker forum," the report added.
The HK Post further noted that CNN tried to access the original database but reported it could not do so. However, it did manage to verify some entries the seller provided. The seller's post had included a sample of 750,000 data entries "from the three main indexes of the database".
Another allegation, made by the seller, is that the unsecured database was "hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba" but the company only said, "we are looking into this".
However, the recent data breach does not come much as a revelation to the world. Several such cases of data leak have been reported earlier. But it was China that was accused by the West of sensitive data theft, in the last couple of years.
With the latest data breach, the country with a nearly 1.4 billion population risks the personal information of nearly 70 per cent population. While experts said that it is unclear how many people have accessed or downloaded the database during the 14 months or more it was left publicly available online.
Vinny Troia, a cyber security researcher and founder of dark web intelligence firm Shadowbyte, said that he first discovered the database 'around January' while searching for open databases online".
"The site that I found it on is public, anybody (could) access it, all you have to do is register for an account. Since it was opened in April 2021, any number of people could have downloaded the data. Troia revealed he "downloaded one of the main indexes of the database, which appears to contain information on nearly 970 million Chinese citizens," he added.
Accusing the Chinese authorities responsible for the data leak, Troia said, "Either they forgot about it, or they intentionally left it open because it's easier for them to access."
Cyber experts say this is a warning to the Chinese government that there are high risks involved in storing such huge amounts of people's data online.
Notably, China is collecting a staggering amount of personal data from millions of citizens with the intention to design a system where they can find out a person's identity, which will help the government in maintaining its authoritarian rule.
It claims that it is using surveillance because social stability is paramount and any threat to the government should be eliminated.
However, the Chinese government never admitted to the surveillance, the details of the spy technologies at work inside China are emerging from the police research papers, surveillance contractor patents and presentations, as well as hundreds of public procurement documents.
The worst thing about surveillance is its patent illegality. Often people don't know they're being watched. Chinese authorities interfere in the public's privacy without permission.