The data includes names, national identity and telephone numbers, medical records, details of police reports and other information. While the authenticity of the full database has not been confirmed, The Post’s review of some of the ID numbers appears to be traced to information found on a government website.
Alleged hackers From the late 1990s to 2019, it said there were several billion case reports and records of 1 billion Chinese citizens, ranging from theft to fights and domestic violence. If approved, the database would cover more than 70 percent of China’s 1.4 billion people. Personal information and reported incidents are contained in separate files.
Despite the coverage, the government prevented victims from learning about the leak. A keyword search for “data leak” or “Shanghai police database” on Weibo, a Twitter-like platform widely used in China, yielded no results related to the breach. one The person affected confirmed the details of the memo in an interview with The Post, but did not know about the leak.
The breach followed last year’s enactment of China’s Personal Data Protection Law, which imposed strict security measures on corporate and government agencies handling personal data. The law comes after Chinese regulators ordered more than 40 companies to make the changes operations for breaching their data transfer rules, Reuters informed.
Kendra Schaefer, head of technology policy research at China-based research group Trivium China, said on his Twitter account Monday’s incident was the first major public violation by a government agency under the new law, it said. “So it’s not clear who is responsible for whom,” he said. The Ministry of Public Security (MSP) typically oversees cybercrime investigations.
“The records also allegedly contain details of juvenile case files,” Schaefer said. “So that would be a violation of the Minority Protection Act.” He raised the possibility that the data contained information from celebrities or officials.
In the sample data set released, certain data were linked to individuals listed under “seven categories of key people”, a reference to individuals monitored by the MSP for suspected criminal activity.
State departments, the Shanghai government and the Shanghai police department did not respond to requests for comment.
However, the documents may have been online before the law took effect — it only came to public attention after the alleged hacker posted it online. Cybersecurity researcher Vinny Troia told CNN The public website, which opened in April 2021, stated that it was informed about the database in January, meaning that anyone can access the database since then.
Government officials accidentally included the credentials needed to access the database in a blog post on the China Software Developers Network. Changpeng Zhao, CEO of the Binance cryptocurrency exchange, cited this theory. tweet Monday. He said the company is “already stepping up checks” for potentially affected users.
The unnamed poster claimed the database was run by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers associated with large technology companies, such as AliCloud, typically build digital infrastructure for government agencies.
Alibaba Group did not respond to a request for comment.
But Shawn Chang, CEO of security solutions provider HardenedVault, found the theory unconvincing. “Shanghai is a city [with] 250 million people. AliCloud is unlikely [to use] It’s a key for the entire police system,” he said. He added that the breach may have been elsewhere, such as centralized key management services that failed to pass the authentication process.
Web security consultant Troy Hunt said the anonymity of the person offering the sale, as well as the size of the database, raise questions about its accuracy. He added that a large payment requirement also increases the possibility of a claim being exaggerated or falsified.
But the data was also powerful, “because it’s a very unique class of data,” Hunt said. Unlike names and phone numbers self-reported when filling out an online form – seen in other data breaches – these were “only one place” police reports.
It’s no secret that government agencies in China manage their information systems poorly. “The problem with the Chinese government is that they collect the data of all citizens on public service platforms, and this leads to serious consequences after the data is leaked. You have to submit your data wherever you go. But there, “Private companies are also bad at handling data, but more so than the government. it’s good.”
Earlier this year, a researcher obtained a cache documents From the Xinjiang Police, he detailed brutal surveillance and re-education practices in the region and shed light on Beijing’s crackdown on the Uyghur population.
