For sale: Personal data of up to 1B Chinese citizens
Hacker’s offer highlights country’s shortcomings in securing sensitive information
In what may be one of the largest known breaches of Chinese personal data, a hacker has offered to sell a Shanghai police database that could contain information on perhaps 1 billion Chinese citizens.
The unidentified hacker, who goes by the name “ChinaDan,” posted in an online forum last week that the database for sale included terabytes of information on 1 billion Chinese. The scale of the leak could not be verified. The New York Times confirmed parts of a sample of 750,000 records that the hacker released to prove the authenticity of the data.
The hacker, who joined the online forum last month, is selling the data for 10 bitcoin, or about $200,000. The individual or group did not provide details on how the data was obtained.
The hacker’s offer of the Shanghai police database highlights a dichotomy in China: Although the country has been at the forefront of collecting masses of information on its citizens, it has been less successful in securing and safeguarding that data.
Over the years, authorities in China have become expert at amassing digital and biological information on people’s daily activities and social connections. They parse social media posts, collect biometric data, track phones, record video using police cameras and sift through what they obtain to find patterns and aberrations.
But as Beijing’s appetite for surveillance has ramped up, authorities have appeared to leave the resulting databases vulnerable with relatively weak safeguards.
China’s government has worked to tighten controls over a leaky data industry that has fed internet fraud. Yet the focus of the enforcement has often centered on tech companies, while authorities appear to be exempt from strict rules and penalties aimed at securing information at internet firms.
Although it was possible to verify samples provided by the hacker, whether it contains as much data as claimed has not been established.
In one sample, the personal information of 250,000 Chinese citizens — such as name, sex, address, government-issued ID number and birth year — was included. In some cases, the individuals’ profession, marital status, ethnicity, education level and whether the person was labeled a “key person” by the country’s Public Security Ministry could also be found.
Another sample set included police case records, which included records of reported crimes as well as personal information such as phone numbers and IDs. The cases dated from as early as 1997 until 2019. The other sample set contained information that appeared to be individuals’ partial mobile phone numbers and addresses.
When a Times reporter called the phone numbers of people whose information was in the sample data of police records, four people confirmed the details. Four others confirmed their names before hanging up. None of the people contacted said they had any previous knowledge about the data leak.