The data included names, national ID and phone numbers, medical records, police report details and other information. Although the authenticity of the full database has not been confirmed, The Post’s review of some ID numbers appears to match information found on a government website.
The suspected pirates said there were several billion case reports – from robberies to fights to domestic violence, dated from the late 1990s to 2019 – and the records of one billion Chinese citizens. If authenticated, the database would cover more than 70% of China’s 1.4 billion people. Personal information and reported incidents were kept in separate files.
Despite the scope, the government was preventing victims from learning of the leak. On Weibo, a Twitter-like platform widely used in China, a keyword search for “data leak” or “Shanghai police database” returned no results related to the breach. A relevant person, in an interview with The Post, confirmed details of the case associated with him but was unaware of the leak.
Analysis: Here are four big questions about the massive Shanghai police leak
The breach came after China’s Personal Information Protection Law came into effect last year, which imposed strict security measures on companies and government entities that handle personal information. The law was passed after Chinese regulators ordered more than 40 companies to change their operations for violating data transfer rules, Reuters reported.
Kendra Schaefer, head of technology policy research at the China-focused research team Trivium China, said in a Twitter post Monday that the incident was the first major public violation by a government agency under the new law. “So it’s unclear who holds who accountable,” she said. The Ministry of Public Security (MSP) would generally oversee cybercrime investigations.
“The records would also contain details of juvenile records,” Schaefer said. “It would therefore be a violation of the law on the protection of minors.” She raised the possibility that the data contains information about celebrities or officials.
In the published data sample, some information was associated with people listed in the “seven key person categories”, a reference to people monitored by the MSP for suspected criminal activity.
State departments, the Shanghai government and the Shanghai Police Department did not respond to requests for comment.
However, it’s also possible that the files were online before the law came into effect – they only came to public attention after the alleged hacker uploaded them. Cybersecurity researcher Vinny Troia told CNN he was made aware of the database in January on a public site, which opened in April 2021, meaning anyone could have accessed it. the database since then.
There is also speculation that government personnel accidentally included the credentials needed to access the database in a blog post on the Chinese Software Developer Network, a forum for developers to share code. Changpeng Zhao, the managing director of cryptocurrency exchange Binance, referred to the theory in a Tweeter In Monday. He said the company had “already intensified checks” for potentially affected users.
The anonymous poster claimed the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers affiliated with big tech companies, like AliCloud, have typically built the digital infrastructure for government agencies.
Alibaba Group did not respond to request for comment.
But Shawn Chang, managing director of security solutions provider HardenedVault, found the theory unconvincing. “Shanghai is a city [with] 250 million inhabitants. AliCloud is unlikely [to use] a key to the whole police system,” he said. He added that the breach could be elsewhere, such as with centralized key management services that failed to go through the authentication process.
Web security consultant Troy Hunt said the anonymity of the person who offered the sale, as well as the size of the database, raised questions about its accuracy. The solicitation of a large payment also raises the possibility that the request was exaggerated or falsified, he added.
But the data was also strong “because it’s a very unique class of information,” Hunt said. Unlike self-declared names and phone numbers when filling out an online form – which have been seen in other data breaches – these were police reports that “really would only be in one place. “.
It’s no secret that government entities in China have poorly managed data systems. “The problem with the Chinese government is that it collects all citizen data on public service platforms, which had serious consequences once the data was leaked,” Chang said. “Wherever you go, you have to submit your information. But there is no systematic way to manage this data. Private companies are also bad at data management, but they are better than the government.
Earlier this year, a researcher obtained a cache of Xinjiang police documents, which detail draconian surveillance and re-education practices in the region and shed light on Beijing’s crackdown on the Uyghur population.