Beijing wants to create a centralized database with personal information on everyone living in China. To do that, the government saves massive amounts of data acquired through surveillance technologies such facial and voice recognition and cell phone monitoring. In a previous article, we saw that the Chinese government’s surveillance network is much more extensive than once thought.

However, while the Chinese government has prioritized collecting massive amounts of data, it has not prioritized protecting it. Thus, a hacker has acquired police data files on 1 billion Chinese residents (approximately 23 terabytes of data) from the Shanghai National Police database. The files include name, national ID number, cell phone number, birthdate, birthplace, ethnicity, education level, marital status, and delivery records.

They also include records of crimes ranging from serious offenses such as rape or abuse to “people who should be closely monitored” — which can be broadly defined as anything the Chinese Communist Party perceives as a threat. Other files show the names of people who reported a crime to the authorities and information on government officials, all of which can be used by malevolent actors for revenge, extortion, or blackmail.

TechCrunch has pictures of six of the police records (JSON file format), translated but with personal information redacted. One of the files, dated May 3, 2018 says,

The police of our bureau found that ——- used VPN software in ——– Shanghai to go over the wall of the foreign website “Twitter” and “forward reactionary remarks involving the party, politics, and leaders”, “suspected of disturbing social and public order”, “The police summoned the suspect ——- to the public security organ with his work permit.

Zack Whittaker, Carly Page, “A huge data leak of 1 billion records exposes China’s vast surveillance state” at TechCrunch (July 7, 2022)

Another file has data from a food delivery service, while a third has details on a 13-year-old boy, including name, address, ethnicity, ID number, birthplace, and a photograph of his passport.

According to Cybernews, the ramifications of this hack are wide-ranging and could pose a national security risk for China:

The availability of personal information on a large chunk of China’s population — estimated at more than 1.4 billion in total — could cause long-term problems such as identity theft and targeted phishing attacks, affecting hundreds of millions of people.

Worryingly, leaked case records covering periods of over 20 years could provide threat actors with the means to seek retribution over criminal cases that resulted in, for example, conviction.”

Vilius Petkauskas, “Shanghai police data leak may be a national security concern for China” at Cybernews (July 7, 2022)

The data was left exposed for over a year

According to the Wall Street Journal, the data was saved on a cloud server maintained by Alibaba Group, which hosts the Shanghai Police database. While the police records were stored securely, the dashboard that allows officials to easily access and search the database was set up with a public web address without encryption. That means anyone with the web address could access the data files.

Several cybersecurity companies that found the vulnerability earlier this year have said that it looks like the database was exposed from April 2021 to mid-June 2022. They described the online dashboard as “an open door to a data vault.” Authorities apparently did not “shut the door” to the vault until the hack received widespread attention from the media after the data was put up for sale on a Dark Web forum. Now Chinese censors are blocking any mention of the hack on Weibo and WeChat.

The hacker first offered the data for ransom

The hacker, who goes by “ChinaDan,” originally wiped the data from the police server and left a ransom note that read:

“your_data_is_safe”
“contact_for_your_data…recovery10btc.”

Presumably, when the Shanghai police would not pay the 10 Bitcoin (US$200,000) ransom, the hacker posted the data cache and price on the Dark Web forum for the same price,. The hacker (or hacking group) gave open access to 750,000 of the records so that potential buyers could check that the data was legit. The New York Times, Wall Street Journal, and CNN made phone calls to some of the private numbers listed in the open data. The people they called confirmed the details in the files.

“Data security is for little people…”

Several commentators have mentioned the Chinese Communist Party’s “central contradiction.” Last year the CCP cracked down on companies for not protecting user data by passing several personal data laws, including the Personal Information Protection Law. This was a much-needed measure that was modeled from the General Data Protection Regulations in Europe. However, unlike Europe’s laws, China’s data privacy laws do not apply to the government, which can collect data on people without their knowledge or consent.

The Chinese government justifies its surveillance state in the name of national security. But as a result of its tireless collection of data, this hack — due to carelessness on the part of the local police — has compromised one billion people’s personal information. It poses a national security risk, should other nation-states decide to use the data for malevolent purposes. As a New York Times article pointed out,

The hacker’s offer of the Shanghai police database highlights a dichotomy in China: Although the country has been at the forefront of collecting masses of information on its citizens, it has been less successful in securing and safeguarding that data.

John Liu, Paul Mozur, and Kalley Huang, “In a big potential breach, a hacker offers to sell a Chinese police database” at New York Times (July 5, 2022)

The CCP is brokering with trade-offs and may be overestimating its ability to mitigate the consequences. If the State decides to centralize all its surveillance data so that officials can access it anywhere and at any time, it has created a highly valuable target that is only as secure as the people who have access to it. Yaiu Wang of Human Rights Watch told the New York Times that if the government fails to protect citizens’ data, there is no mechanism to hold it accountable:

In Chinese law, “there is vague language about state data handlers having responsibility to ensure the security of the data. But ultimately, there is no mechanism to hold government agencies responsible for a data leak,” she said.

“In this Shanghai police case, who is supposed to investigate it?” said Ms. Wang of Human Rights Watch. “It’s the Shanghai police itself.”

John Liu, Paul Mozur, and Kalley Huang, “In a big potential breach, a hacker offers to sell a Chinese police database” at New York Times (July 5, 2022)

Or, in the familiar proverb, “Who is watching the watchers?” The Ministry of Public Security handles any local municipalities’ violations of cybersecurity, but it was the Shanghai police, a Public Security Bureau that is part of the Ministry of Public Security, that failed to protect users’ data. Furthermore, the public cannot hold the government accountable since information about the hack has been censored on Chinese social media and news sites.

Yes, it’s in China but not just in China

While the scale of the Shanghai police database hack is, in part, a consequence of Beijing’s goal of total surveillance of its population, the breach should also remind us that all companies and organizations that store our data are vulnerable to hacks.

The CISA, the FBI, and the CIA issued a cybersecurity alert in June on the large-scale cyberespionage and cybertheft program targeting major telecommunications companies. Then, this past week, Christopher A. Wrey and Ken McCallum, directors of the CIA and MI5, respectively, said that over the past two years, Chinese state actors have compromised thirteen telecom organizations around the world.

And while China may have experienced the largest personal data hack in history, the U.S. was the target of one of the most sophisticated and sweeping supply-chain hacks in history. In 2020 Russian operatives infiltrated multiple levels of the U.S. government through commonly used software developed by the company, SolarWinds. The hack has led to changes in how the U.S. addresses cybersecurity and supply-chain vulnerabilities, but experts say the effects will last for years.

You may also wish to read: China is quite serious about total surveillance of every citizen. Local governments are buying enough surveillance equipment to constantly watch 1.6 billion people, documents show. China’s leader Xi Jinping is a techno-optimist who believes that data is power, and that China will achieve AI supremacy by 2030. Whatever it takes, it seems. (Heather Zeiger)