In what may be one of the largest known breaches of Chinese personal data, a hacker has offered to sell a Shanghai police database that could contain information on perhaps one billion Chinese citizens.
The unidentified hacker, who goes by the name ChinaDan, posted in an online forum last week that the database for sale included terabytes of information on a billion Chinese. The scale of the leak could not be verified. The New York Times confirmed parts of a sample of 750,000 records that the hacker released to prove the authenticity of the data.
The hacker, who joined the online forum last month, is selling the data for 10 Bitcoin, or about $200,000. The individual or group did not provide details on how the data was obtained. The Times reached out to the hacker but did not immediately receive a response.
The hacker’s offer of the Shanghai police database highlights a dichotomy in China: Although the country has been at the forefront of collecting masses of information on its citizens, it has been less successful in securing and safeguarding that data.
Over the years, authorities in China have become expert at amassing digital and biological information on people’s daily activities and social connections. They parse social media posts, collect biometric data, track phones, record video using police cameras and sift through what they obtain to find patterns and aberrations. A Times investigation last month revealed that the appetite of Chinese authorities for regular citizens’ information has only expanded in recent years.
But even as Beijing’s appetite for surveillance has ramped up, authorities have appeared to leave the resulting databases open to the public or left them vulnerable with relatively weak safeguards. In recent years, The Times has reviewed other databases used by the police in China.
China’s government has worked to tighten controls over a leaky data industry that has fed internet fraud. Yet the focus of the enforcement has often centered on tech companies, while authorities appear to be exempt from strict rules and penalties aimed at securing information at internet firms.
Yaqiu Wang, a senior China researcher at Human Rights Watch, said if the government doesn’t protect its citizens’ data, there are no consequences. In Chinese law, “there is vague language about state data handlers having responsibility to ensure the security of the data. But ultimately, there is no mechanism to hold government agencies responsible for a data leak,” she said.
Last year, for example, Beijing cracked down on Didi, China’s equivalent of Uber, after its listing effort on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in the Chinese province of Henan misused data from a Covid-19 app to block protesters last month, officials were largely spared from severe penalties.
When smaller leaks have been reported by so-called white-hat hackers, who search out and report vulnerabilities, Chinese regulators have warned local authorities to better protect the data. Even so, ensuring discipline has been difficult, with the responsibility to protect the data often falling on local officials who have little experience overseeing data security.
Despite this, the public in China often expresses confidence in authorities’ handling of data and typically considers private companies less trustworthy. Government leaks are often censored. News of the Shanghai police breach has also been mostly censored, with China’s state-run media not reporting it.
“In this Shanghai police case, who is supposed to investigate it?” said Ms. Wang of Human Rights Watch. “It’s the Shanghai police itself.”
In the hacker’s online post, samples of the Shanghai database were provided. In one sample, the personal information of 250,000 Chinese citizens — such as name, sex, address, government-issued ID number and birth year — was included. In some cases, the individuals’ profession, marital status, ethnicity and education level, along with whether the person was labeled a “key person” by the country’s public security ministry, could also be found.
Another sample set included police case records, which included records of reported crimes, as well as personal information like phone numbers and IDs. The cases dated from as early as 1997 until 2019. The other sample set contained information that appeared to be individuals’ partial mobile phone numbers and addresses.
When a Times reporter called the phone numbers of people whose information was in the sample data of police records, four people confirmed the details. Four others confirmed their names before hanging up. None of the people contacted said they had any previous knowledge about the data leak.
In one case, the data provided the name of a man and said that, in 2019, he reported to the police a scam in which he paid about $400 for cigarettes that turned out to be moldy. The individual, reached by phone, confirmed the details described in the leaked data.
Shanghai’s public security bureau declined to respond to questions about the hacker’s claim. Calls to the Cybersecurity Administration of China went unanswered on Tuesday.
On Chinese social media platforms, like Weibo and the communication app WeChat, posts, articles and hashtags about the data leak have been removed. On Weibo, accounts of users who posted or shared related information have been suspended, and others who talked about it have said online that they had been asked to visit the police station for a chat.