In what may be one of the largest known breaches of Chinese personal data, a hacker is offering for sale a Shanghai police database that could contain information on perhaps one billion Chinese citizens.
Although it was not possible to immediately verify the scale of the leak, which the hacker said in a post on a forum included terabytes of information on a billion Chinese, The New York Times was able to verify parts of a sample of 750,000 records the hacker released to prove the authenticity of the data.
The unidentified person or group is selling the data for 10 Bitcoin, or about $200,000.
In recent years, China’s government has worked hard to tighten controls over a leaky industry that has fed internet fraud. Yet the focus of this enforcement has often centered on tech companies. The government itself, which has long struggled to adequately protect the reams of data it collects on citizens, is often exempt from strict rules and penalties aimed at internet firms.
In the past, when smaller leaks were reported by so-called white-hat hackers, who search out and report vulnerabilities, Chinese regulators warned local authorities to better protect the data. Even so, ensuring discipline has been difficult. With the police presiding over one of the world’s most invasive surveillance apparatuses, the responsibility to protect the data collected often falls on local officials who have little experience overseeing data security. As a result, problems in which databases are left open to the public or made vulnerable by relatively weak safeguards have persisted.
Despite this, the public in China often express confidence in authorities’ handling of data and typically considers private companies less trustworthy. Government leaks are often closely censored. Since the news of the Shanghai police breach emerged and went viral on the internet, it has been mostly censored. Chinese state-run media have not written about the news.
Although it was possible to verify samples provided by the hacker, whether it contains as much data as claimed has not been established.
Even so, the samples released do appear to be real. One sample contained 250,000 Chinese citizens’ personal information, including name, sex, address, government-issued ID number and birth year. In some cases, even individuals’ profession, marital status, ethnicity, education level and whether the person has been labeled a “key person” by the country’s public security ministry could be found.
Another sample set included police case records, which included records of reported crimes as well as personal information like phone numbers and IDs. The cases dated from as early as 1997 until 2019. The other sample set contained information that appeared to be individuals’ partial mobile phone numbers and addresses.
When a Times reporter called the phone numbers of people whose information was in the sample data of police records, four people confirmed the details. Four others who picked up the phone confirmed their names before hanging up. None of the people contacted said they had any previous knowledge about the data leak.
In one case, the data provided the name of a man and said that, in 2019, he reported to the police a scam in which he paid about $400 for cigarettes that turned out to be moldy. The individual, reached by phone, confirmed all the details described in the leaked data.
Shanghai’s public security bureau repeatedly refused to respond to questions about the hacker’s claim. Multiple calls to the Cybersecurity Administration of China went unanswered on Tuesday.
On Chinese social media platforms, like Weibo and the communication app WeChat, posts, articles and hashtags about the data leak have been removed. On Weibo, accounts of users who posted or shared related information have been suspended, and others who talked about it have said online they were asked to visit the police station for a chat.