Why China’s Massive Data Leak Is So Chilling
By Sarah Zheng
July 11, 2022
Hi, it’s Sarah Zheng in Hong Kong. China may have suffered its largest data breach ever. But first...
What we know about Shanghai’s leakIf you were only reading Chinese newspapers last week, you would have missed potentially the largest known data breach in the country’s history.
An unidentified person claimed to have accessed a massive Shanghai police database and was hawking its contents—23 terabytes of sensitive information including names, ID numbers, addresses and even detailed criminal case information—for the price of 10 Bitcoins, or about $200,000.
It’s unclear how the breach happened. According to some reports, the data had been left more or less exposed since last year. Multiple security researchers who analyzed a small sample of the personal data being sold have said it appears authentic.
As someone who previously lived in Shanghai, I held my breath before running a search for my own details, which thankfully did not appear in the published sample. But of course, thousands of others—Chinese citizens and foreigners who have lived in or even just passed through Shanghai—weren’t as lucky.
While the sprawling breach quickly made international news, government officials and state-run media—usually quick to denounce online rumors—kept quiet. Meanwhile, many comments on the eye-popping exposure have been scrubbed from Chinese social media.
The country’s silence speaks volumes. While cyberattacks and data exposure incidents are increasingly common, the alleged data leak is notable because of both its incredible size and source: the Shanghai police, who help enforce the country’s increasingly strict cybersecurity and data privacy laws.
The incident has exposed not only the scale of data collection by Chinese authorities but also the carelessness with which that data may have been handled. The information collected by the Shanghai police goes beyond contact information, with profiles containing education levels, marital status, professions—even logs relating to individual delivery records, according to our analysis of the published samples.
The prevailing theory about how the information wound up for sale online is that the police database—hosted by a third-party cloud service provider—had simply been left unsecured, without so much as a username and password. Bob Diachenko, from the cyber research site Security Discovery, said he stumbled upon the open dataset months ago. That raises the question of how many others may have accessed the nearly 1 billion records, and the personal risks that those affected now face. However the data was accessed, what is revealing is that Shanghai authorities did not do more to secure this vast trove, researchers said.
So far, the only official reaction following the breach has been Chinese Premier Li Keqiang’s calls to bolster information security, to allow the public and businesses to “operate with a peace of mind.” But even without formal news reports, it has been impossible to erase all public discussion of a leak of this scale, even though censors have tried their best. “If they delete everything, then the database will not have been leaked,” one commenter wrote wryly on the Twitter-like Weibo service.
After Fudan University professor Shen Yi posted pointedly last week about a 2017 incident in which millions of U.S. voter records were leaked online, another user quipped about the high selling price of the Shanghai cache: “Their data is free, but at least for ours, not everyone can obtain it.”
It’s certainly politically embarrassing if the Shanghai police are found to be responsible for the supposed leak, particularly as President Xi Jinping has made cybersecurity a priority, linking it firmly to national security. Gone are the days when privacy was a passing concern in China, when Baidu’s CEO Robin Li in 2018 said controversially that Chinese people were willing to trade data privacy for safety and convenience.
But even with Beijing’s mounting focus on cybersecurity, experts say it remains woefully behind in infrastructure and broader awareness—a more potent problem as the state collects even more personal information.
Perhaps the biggest takeaway from this episode is simply the sheer scope of information collected under China’s sprawling surveillance apparatus. There may be no way to opt out from the state’s watchful eye, but researchers say high-profile incidents like this may at least serve as a warning for those in charge to better secure our data.
— Sarah Zheng with Katrina Manson
bloomberg.com |
