 |
| Exhibitors show a big data visual analysis decision platform during the 2018 China international big data industry expo in Guiyang, southwest China’s Guizhou Province, May 26, 2018. [Photo/Xinhua] |
Beijing: China recorded the biggest ever database leak in history with nearly one billion personal data being online for more than a year.
The leak could be one of the biggest ever recorded in history, cybersecurity experts say, highlighting the risks of collecting and storing vast amounts of sensitive personal data online — especially in a country where authorities have broad and unchecked access to such data, reported CNN.
“As it stands today, I believe this would be the largest leak of public information yet — certainly in terms of the breadth of the impact in China, we’re talking about most of the population here,” said Troy Hunt, a Microsoft regional director based in Australia.
The online database contained the personal information of up to one billion Chinese citizens and was noticed after an anonymous user in a hacker forum offered to sell the data last week.
The anonymous user advertised to sell more than 23 terabytes (TB) of data for sale for 10 bitcoin — roughly USD 2,00,000 — in a post on a hacker forum last Thursday.
The user claimed the database was collated by the Shanghai police and contained sensitive information on one billion Chinese nationals, including their names, addresses, mobile numbers, national ID numbers, ages and birthplaces, as well as billions of records of phone calls made to police to report on civil disputes and crimes, reported CNN.
The vast trove of Chinese personal data had been publicly accessible via what appeared to be an unsecured backdoor link — a shortcut web address that offers unrestricted access to anyone with knowledge of it — since at least April 2021, according to LeakIX, a site that detects and indexes exposed databases online.
A sample of 750,000 data entries from the three main indexes of the database was included in the seller’s post.
Meanwhile, the Shanghai government and police department did not respond to CNN’s repeated written requests for comment.
The seller also claimed the unsecured database had been hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba.
Alibaba said “we are looking into this” and would communicate any updates. On Wednesday, Alibaba said it declined to comment to CNN.
China is home to 1.4 billion people, which means the data breach could potentially affect more than 70 per cent of the population.
It is unclear how many people have accessed or downloaded the database during the 14 months or more it was left publicly available online.
Unsecured personal data — exposed through leaks, breaches, or some form of incompetence — is an increasingly common problem faced by companies and governments around the world, and cybersecurity experts say it is not unusual to find databases that are left open to public access.
The latest data leak is particularly worrying, cybersecurity researchers say, not only because of its potentially unprecedented volume, but also the sensitive nature of the information contained.
A CNN analysis of the database sample found police records of cases spanning nearly two decades from 2001 to 2019. While the majority of the entries are civil disputes, there are also records of criminal cases ranging from fraud to rape.
In one case, a Shanghai resident was summoned by police in 2018 for using a virtual private network (VPN) to evade China’s firewall and access Twitter , allegedly retweeting “reactionary remarks involving the (Communist) Party, politics and leaders.”
In another record, a mother called the police in 2010, accusing her father-in-law of raping her 3-year-old daughter.
The Chinese government has recently stepped up efforts to improve protection of online user data privacy. Last year, the country passed its first Personal Information Protection Law, laying out ground rules on how personal data should be collected, used and stored.
But experts have raised concerns that while the law can regulate technology companies, it could be challenging to enforce when applied to the Chinese state, reported CNN.
