The personal data of nearly a billion people in China has been stolen and has been online for over a year.

According to cybersecurity experts, the leak could be one of the largest in history, highlighting the risks associated with collecting and storing huge amounts of sensitive personal data online, especially in a country where authorities have wide and uncontrolled access to such data.

A huge array of Chinese personal data has been publicly available through an insecure backdoor link — a short web address that offers unlimited access to anyone who knows about it — since at least April 2021, according to LeakIX, a site that detects and indexes open databases in online mode.

The database, which did not require a password, was closed after an anonymous user announced the sale of more than 23 terabytes (TB) of data for 10 bitcoins – approximately $200,000 – in a post on a hacker forum last Thursday. .

The user claimed that the database was compiled by the Shanghai police and contained sensitive information about one billion Chinese citizens, including their names, addresses, mobile phone numbers, national identification numbers, age and place of birth, and billions of police phone call records. report civil disputes and crimes.

A sample of 750,000 data records from three major database indexes was included in the seller’s post. CNN authenticated more than two dozen records from a sample provided by the seller, but was unable to access the original database.

The Shanghai government and police department did not respond to CNN’s repeated written requests for comment.

The seller also stated that the unsecured database was hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba. In a statement to CNN, Alibaba said it was aware of the incident and was investigating it.

But experts interviewed by CNN said the owner of the data was at fault, not the company hosting it.

“I believe this will be the largest publicly available information leak to date – by far, in terms of the breadth of influence in China, we’re talking about the majority of the population here,” said Troy Hunt, a spokesman for Microsoft. Regional Director for Australia.

China is home to 1.4 billion people, meaning that more than 70% of the population could potentially be affected by a data breach.

“This is a small case where the genie will not be able to return to the bottle. Once the data is available as it appears to be now, there is no going back,” Hunt said.

It is not clear how many people accessed or downloaded the database during the 14 or more months it remained public on the Internet. Two Western cybersecurity experts who spoke to CNN were aware of the existence of the database before it was put on public display last week, suggesting it could have been easily discovered by people who knew where to look.

Vinnie Troya, a cybersecurity researcher and founder of dark web analytics company Shadowbyte, said he first discovered the database “around January” while searching for open databases online.

“The site I found it on is public, anyone (can) access it, all you have to do is sign up for an account,” Troya said. “Because it was opened in April 2021, any number of people could download the data,” he added.

Troya said he downloaded one of the main indexes of a database that appears to contain information on almost 970 million Chinese citizens.

Troya said it’s hard to tell for sure whether open access was an oversight by the database owners or if it was a deliberate label meant to be shared by a small number of people.

“Either they forgot about it or deliberately left it open because it is easier for them to access it,” he said, referring to the authorities in charge of the database. “I don’t know why they did it. Sounds very careless.”

Unprotected personal data exposed through leaks, hacks or some form of incompetence is an increasingly common problem faced by companies and governments around the world, and cybersecurity experts say it’s not unusual for databases to remain open to public access. .

In 2018, Trioa discovered that a Florida-based marketing firm had posted about 2TB of data that appeared to include personal information about hundreds of millions of American adults on a public server. Wired.
In 2019, Dutch cybersecurity researcher Victor Gewers uncovered an online database containing the names, national identification numbers, dates of birth and location data of more than 2.5 million people in China’s far-western Xinjiang region, which had been left unprotected by the Chinese for months. SenseNets Technology, according to Reuters.

But the latest data breach is of particular concern, say cybersecurity researchers, not only because of its potentially unprecedented scope, but also because of the sensitive nature of the information it contains.

An analysis of a sample database by CNN found police case records spanning nearly two decades from 2001 to 2019. While most of the entries are for civil disputes, there are also entries for criminal cases ranging from fraud to rape.

In one case, a Shanghai resident was called by police in 2018 for using a virtual private network (VPN) to bypass a Chinese firewall and access Twitter, allegedly retweeting “reactionary remarks regarding the (Communist) party, politics and leaders.”

In another entry, a mother called the police in 2010, accusing her father-in-law of raping her 3-year-old daughter.

“There could be domestic violence, child abuse and all that stuff that worries me a lot more,” said Hunt, Microsoft’s regional director.

“Could it lead to extortion? We often see extortion of people after a data breach, examples where hackers may even try to ransom people.”

The Chinese government has recently stepped up efforts to improve the protection of user data privacy on the Internet. Last year, the country passed its first Personal Information Protection Law, which sets out the basic rules for the collection, use and storage of personal data. But the experts caused concern that while the law may regulate technology companies, its application to the Chinese state may be difficult.

Bob Diachenko, a security researcher from Ukraine, first encountered the database in April. According to Dyachenko, in mid-June, his company discovered that the database had been attacked by an unknown attacker who destroyed and copied the data and left a ransom note demanding 10 bitcoins for its restoration.

It is not clear if this was the work of the same person who advertised the sale of information from the database last week.

By July 1, the ransom note had disappeared, according to Dyachenko, but only 7 gigabytes (GB) of data was available instead of the originally claimed 23 TB.

Dyachenko said this suggests the ransom was resolved, but the database owners continued to use the open database for storage until it was closed over the weekend.

“Maybe some junior developer noticed this and tried to remove the notes before upper management noticed them,” he said.

Shanghai Police did not respond to CNN’s request for comment on the ransom note.

Leave a Reply

Your email address will not be published.