In what may be one of the largest known Chinese personal data breaches, a hacker has offered to sell a Shanghai police database that may contain information on perhaps a billion Chinese citizens.
The unidentified hacker, who goes by the name ChinaDan, posted on an online forum last week that the database for sale included terabytes of information on one billion Chinese people. The extent of the leak could not be verified. The New York Times confirmed parts of a sample of 750,000 records the hacker released to prove the authenticity of the data.
The hacker, who joined the online forum last month, is selling the data for 10 Bitcoin, or about $200,000. The individual or group did not provide details on how the data was obtained. The Times contacted the hacker via email on the post, although it could not be delivered as the address appeared to be incorrect.
The offer from the Shanghai police database hacker highlights a dichotomy in China: Although the country has been at the forefront of collecting masses of information about its citizens, it has less successful in securing and protecting this data.
Over the years, Chinese authorities have become adept at collecting digital and biological information about people’s daily activities and social relationships. They analyze social media posts, collect biometrics, track phones, record video using police cameras, and sift through what they get to find patterns and aberrations. A Times investigation last month found that the Chinese authorities’ appetite for information among ordinary citizens has only grown in recent years.
But even as Beijing’s appetite for surveillance has intensified, authorities have appeared to leave the resulting databases open to the public or leave them vulnerable with relatively weak safeguards. In recent years, The Times has reviewed other databases used by police in China.
The Chinese government has worked to tighten controls on a leaky data industry that has fueled internet fraud. Yet law enforcement has often focused on tech companies, while authorities appear exempt from strict rules and penalties aimed at securing internet company information.
Yaqiu Wang, senior China researcher at Human Rights Watch, said if the government doesn’t protect its citizens’ data, there are no consequences. In Chinese law, “there is vague language about which state data handlers have the responsibility to ensure data security. But ultimately, there is no mechanism to hold government agencies responsible for a data leak,” she said.
Last year, for example, Beijing cracked down on Didi, China’s equivalent of Uber, after its effort to list on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in China’s Henan province misused data from a Covid-19 app to block protesters last month, officials were largely spared stiff penalties.
When small leaks were reported by so-called hackers, who research and report vulnerabilities, Chinese regulators warned local authorities to better protect the data. Even so, ensuring discipline has been difficult, with the responsibility of protecting data often falling to local managers who have little experience in overseeing data security.
Despite this, the public in China often expresses confidence in the authorities’ handling of data and generally views private companies as less trustworthy. Government leaks are often censored. News of the Shanghai police breach was also mostly censored, with Chinese state media failing to report it.
“In this Shanghai police case, who is supposed to investigate? said Ms. Wang of Human Rights Watch. “It’s the Shanghai police themselves.”
In the hacker’s online publication, samples of the Shanghai database were provided. In a sample, the personal information of 250,000 Chinese citizens — such as name, gender, address, government-issued identification number and year of birth — was included. In some cases, the occupation, marital status, ethnic origin and level of education of the individuals, as well as whether the person has been classified as a “key person” by the country’s public security ministry, could also be found.
Another set of samples included police records, which included records of reported crimes, as well as personal information such as phone numbers and IDs. The cases dated from 1997 to 2019. The other set of samples contained information that appeared to be individuals’ partial cellphone numbers and addresses.
When a Times reporter called the phone numbers of people whose information was in the sample data from police records, four people confirmed the details. Four others confirmed their names before hanging up. None of those contacted said they had knowledge of the data leak.
In one case, the data provided a man’s name and said that in 2019 he reported a scam to police in which he paid around $400 for cigarettes that turned out to be moldy. The individual, reached by telephone, confirmed the details described in the leaked data.
The Shanghai Public Security Bureau declined to answer questions about the hacker’s allegation. Calls to the Cybersecurity Administration of China went unanswered on Tuesday.
On Chinese social media platforms, such as Weibo and the WeChat communication app, posts, articles and hashtags regarding the data breach have been removed. On Weibo, the accounts of users who posted or shared related information have been suspended, and others who spoke about it said online that they were asked to come to the police station to discuss.