One Billion Records Exposed in China’s Data Breach

This is probably the biggest breach of personal information ever...

China surveillance

Another day, another breach, but “this time, it’s different.” Cause this time we’re talking about a breach from China. And you know when something comes from China, the numbers are huge.

Specifically, the breach involves information on about one billion Chinese residents, making it one of the biggest (if not the biggest) breaches of personal information in history.

Portions of the leaked data appeared recently on a known cybercrime forum from someone selling the cache for 10 bitcoins and was allegedly siphoned from a Shanghai police database stored in Alibaba’s cloud.

Details are scarce, though at least parts of the data have been verified as authentic. What is unknown is how all this data came to be in the hands of an underground seller. Also, as far as the majority of Chinese people are concerned, there is no breach since it wasn’t mentioned in any major media outlet. They have good ol’ censorship to “thank” for this.

How did this happen?

In a since-deleted post offering the data for bitcoin, the seller claimed to have downloaded the data from a cloud storage server hosted by Alibaba.

While it is unknown how the data ended up in hackers’ hands, some experts suggest that the database may have been misconfigured and exposed by human error. It wasn’t password-protected though one needed to know the exact URL to access it.

Hackers who find a resource like this tend to encrypt it and then ask for a ransom for decryption keys. Alas, that didn’t seem to take place here.

“My hypothesis here is that the ransom note did not work and the threat actor decided to get money somewhere else. Or, another malicious actor came across the data and decided to put it up for sale,” Bob Diachenko, a Ukrainian security researcher, told TechCrunch.

Unsurprisingly, little is known about the seller of the data or even for what reason the data was dumped online.

What’s in the data?

TechCrunch managed to get a sample of the data and analyze it. Specifically, they got three files, about 500 megabytes in total, each containing 250,000 individual records.

The data is in JSON format, making it easy to read and analyze. From what they gather, this is real stuff, as it would be difficult — though not impossible — to fake that many personal details on such a large scale.

The files appear to contain detailed police reports dating back to 1995 through to 2019, including names, addresses, phone numbers, identity numbers, sex, as well as the reason for why the police were called out. Also included were granular coordinates where incidents occurred, police reports, the names of informants who made the reports, the individuals’ race and ethnicity, as well as information on children, dates of birth, and more.

Furthermore, several records show police reports cracking down on the use of VPNs.

Aside from TechCrunch, other publications such as The Wall Street Journal, The New York Times and CNN have also verified portions of the data by calling individuals whose information was found in the database.

The impact

It was already known that the Chinese government is spying on its citizens and thanks to this breach, we can see the scale of that operation — it’s massive.

While we doubt they will change their practices — quite the contrary — this incident could prompt savvy users to change their Internet habits and be more cautious online.

It is interesting to note that the breach comes at a time when China is stepping up protection for personal data. Last September, the government passed the Personal Information Protection Law, which is widely seen as China’s equivalent of Europe’s GDPR rules. Said law restricts how businesses can collect personal data and is expected to have a sweeping effect on the ad businesses of the country’s biggest tech giants, but allows broad exceptions for government agencies and departments that make up China’s vast surveillance capabilities.

So even the law itself is saying it – you, the businesses, can’t get all the data but for us, the government, there are no restrictions of any kind. Yes, it’s spooky and yes, you must use a VPN wherever you go.