Police database breach a 'big black eye' for Chinese security systems

Jul 09, 2022

Shanghai [China], July 9 : There is rising outrage amongst Chinese citizens with the surfacing of numerous incidents of personal data breaches parked on Chinese security systems, with the latest being a breach on Shanghai police database.
As per New York Times, the Shanghai police database with a vast trove of personal data that was seized by a hacker was left unsecured for months, security researchers said and turned out to be the largest known breach of Chinese government computer systems.
The leak came to light after an anonymous user posted in an online forum offering to sell personal information of as many as one billion Chinese citizens, exposing the privacy risks of the Chinese government's vast surveillance.
The communist party collect a huge amount of data on citizens by tracking their movements and recording their DNA and other biological markers, New York Times reported, adding that it has been subjected to severe leaks due to parking it on unprotected servers.
Claiming to have information on 90 million citizens, another anonymous user posted on social media offering to sell a separate police database from the central Chinese province of Henan.
Over recent years, Chinese citizens have expressed growing demands for personal privacy and data protection from companies as the online security breaches fueled public resistance to the collection of private data by the government.
However, the news about the leak was swiftly censored and removed from the Chinese internet and social media platforms, a sign that the government understood the explosive nature of the apparent breach.
As of Thursday, Hashtags such as "Shanghai data leak," "data leak of one billion citizens" and "data leak" remained blocked on Sina Weibo, a popular Chinese microblogging service as of Thursday, The New York Times reported, citing local media sources.
"It's left a big black eye for the Chinese public security world, and by extension the Chinese government," said Paul Triolo, senior vice president for China at Albright Stonebridge Group, a strategy firm. on China's policies on surveillance of its masses.
"It's not surprising they've gone into full censorship mode given how sensitive this issue is for the public," he said.
While large data leaks are not uncommon, the Shanghai police database stands out both for its scale and for the highly sensitive nature of some of the information included, security researchers said.

One of them, Vinny Troia, founder of Shadowbyte, a threat intelligence company, said he had first stumbled across the database months ago. Data from Leak IX, an online platform that trawls the internet for exposed databases, shows that the server was accessible as early as April 2021.
Moreover, a sample of 750,000 records that the anonymous user, who goes by the name ChinaDan, released to prove the authenticity of the data. In addition to addresses and ID numbers, the database included information on "key persons" identified by the police as requiring heightened surveillance, as well as police reports.
In another case, a person was investigated for petitioning at Tiananmen Square in Beijing. The sample also included the names and passport numbers of American citizens who violated the terms of their visas in China, the New York Times confirmed, citing the local media.

Many Chinese have grown accustomed to surveillance, censorship and frequent telemarketing calls.
"It's alarming because these are the files of ordinary people," said May Peng, a saleswoman in Shanghai whose details were also in the sample set. She confirmed that as the data showed, she had filed a police report in 2017 when her electric scooter was stolen.
Shanghai's public security bureau declined to respond to questions about the database and the government continues to stay silent on the issue.
Troia and another researcher, Bob Diachenko, owner of SecurityDiscovery.com, a cybersecurity consultancy, said the Shanghai data had been stored securely on a closed-off network until someone set up a gateway that essentially punched a hole through the firewall.
"Creating such portals was common practice among developers as a way to gain easy access to a database, but that such gateways should be password-protected. The gateway to the Shanghai database did not have a password," they added.
Troia further said that he had first come across the unsecured trove of files in December or January and he had downloaded and reviewed a small sample of the files at the time.
Security researchers say the vast amount of personal information in the Shanghai database could put the individuals whose data was exposed at risk of extortion, blackmail or fraud, however, the Chinese government does not pay heed to it.
The Chinese government has recently stepped up efforts to improve the protection of online user data privacy. Last year, the country passed its first Personal Information Protection Law, laying out ground rules on how personal data should be collected, used and stored.
But experts have raised concerns that while the law can regulate technology companies, it could be challenging to enforce when applied to the Chinese systems.