In what may be one of the largest known leaks of Chinese personal data, a hacker has offered to sell a Shanghai police database that could contain information on perhaps a billion Chinese citizens.
The unnamed hacker, who goes by the name ChinaDan, posted on an online forum last week that the database for sale included terabytes of information on a billion Chinese. The scale of the leak could not be verified. The New York Times confirmed parts of a sample of 750,000 records that the hacker posted to prove the authenticity of the data.
The hacker, who joined the online forum last month, is selling the data for 10 Bitcoin, or around $200,000. The individual or group did not provide details on how the data was obtained. The Times contacted the hacker via an email in the post, though it could not be delivered because the address appeared to be incorrect.
The Shanghai police database hacker’s bid highlights a dichotomy in China: Although the country has been at the forefront of collecting vast amounts of information about its citizens, it has been less successful in securing and safeguarding that data. .
Over the years, China’s authorities have become adept at collecting digital and biological information about people’s daily activities and social connections. They analyze social media posts, collect biometric data, track phones, record police camera video, and filter what they get to find patterns and aberrations. A Times investigation last month revealed that Chinese authorities’ appetite for information from ordinary citizens has only expanded in recent years.
But even as Beijing’s appetite for surveillance has increased, authorities appear to leave the resulting databases open to the public or have left them vulnerable with relatively weak safeguards. In recent years, The Times has reviewed other databases used by police in China.
China’s government has worked to tighten controls on a leaked data industry that has fueled internet fraud. However, the enforcement focus has often been on technology companies, while authorities appear to be exempt from strict rules and penalties aimed at protecting information at internet companies.
Last year, for example, Beijing cracked down on Didi, the Chinese equivalent of Uber, after its effort to list on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in China’s Henan province misused data from a Covid-19 app to block protesters last month, officials were largely spared harsh penalties.
When smaller leaks have been reported by so-called white hat hackers, who seek out and report vulnerabilities, Chinese regulators have warned local authorities to better protect the data. Still, ensuring discipline has been difficult, as the responsibility for protecting data often falls to local officials who have little experience overseeing data security.
Despite this, the public in China often express confidence in the authorities’ handling of data, and generally view private companies as less trustworthy. Government leaks are often censored. News about the Shanghai police rape has also been mostly censored, and China’s state media did not write about it.
In the hacker’s online post, samples of the Shanghai database were provided. In one sample, the personal information of 250,000 Chinese citizens was included, such as name, gender, address, government-issued identification number and year of birth. In some cases, people’s profession, marital status, ethnicity, and level of education could also be found, as well as whether the person was labeled a “key person” by the country’s public security ministry.
Another set of samples included police case records, which included records of reported crimes, as well as personal information such as phone numbers and IDs. The cases date from 1997 to 2019. The other set of samples contained information that appeared to be the individuals’ mobile phone numbers and partial addresses.
When a Times reporter called the phone numbers of people whose information was in the sample data from police records, four people confirmed the details. Four others confirmed their names before hanging up. None of the people contacted said they had prior knowledge of the data leak.
In one case, the data provided the name of a man and said that, in 2019, he reported a scam to police in which he paid about $400 for cigarettes that turned out to be moldy. The individual, contacted by phone, confirmed the details outlined in the leaked data.
The Shanghai Public Security Bureau declined to answer questions about the hacker’s claim. Calls to the Cyber Security Administration of China went unanswered on Tuesday.
On Chinese social media platforms such as Weibo and the WeChat communication app, posts, articles and hashtags about the data leak were removed. On Weibo, the accounts of users who posted or shared related information were suspended, and others who spoke about it said online that they had been asked to visit the police station for a chat.