Claims of the largest cyber attack in China’s history have sparked an open debate about the extent to which Beijing vacuums up personal data.
Claims of the biggest cyber attack in China’s history have sparked an open debate about the extent to which Beijing mines personal data and uses private companies to safeguard that treasure, a discussion that could have ramifications for the broader tech industry in China.
If verified, the alleged theft of 23 terabytes of personal information of up to a billion Chinese citizens from a Shanghai police database would rank as the country’s largest data leak ever, if not one of the largest. that the world has seen. The allegations that surfaced over the weekend have sent tech circles buzzing and prompted unusual public comments from high-profile industry figures such as Binance co-founder Zhao Changpeng.
Questions remain as to how the unknown hackers apparently gained access to the trove managed by the Shanghai branch of the Ministry of Public Security, which according to online posts included data detailing app user activity, Chinese phone numbers and addresses, and more. popular. A seller had asked for 10 Bitcoin, worth around $200,000, in exchange for the data.
Many forensic experts agreed that there were significant security flaws. For researchers who have examined the underlying source code and database samples, the breadth of the alleged data underscores not only the staggering scale of government data collection in the PRC, but also the many risks in how that information is managed.
“The PRC government is probably in crisis mode right now,” said Dakota Cary, a consultant with the Washington-based Krebs Stamos Group. “It seems obvious to wonder why Shanghai MPS needed access to all this data, but this is the exact system of surveillance and details about people that the government wants.”
Chinese President Xi Jinping has long identified data as key to governing and powering the country of 1.4 billion people. Beijing is pouring money into digital infrastructure, implementing new laws and building data centers to position China as a leader in the digital economy. The Shanghai gap may become an embarrassment for Xi as he tries to secure a record-breaking third term as president later this year.
“It is necessary to safeguard the country’s data security, protect personal information and business secrets, and promote the efficient circulation and use of data to boost the real economy,” Xi stressed at a meeting with a top government body last week. Less than two weeks. ago, according to a reading by the official Xinhua news agency.
China has pioneered new forms of near-constant surveillance and massive data collection on its citizens, a national apparatus that has expanded as Beijing tries to track and prevent the spread of virus cases as part of its Covid Zero strategy. A Bloomberg News analysis of a sample posted by the suspected hackers reveals information from names, mobile phone numbers and addresses to education levels, ethnicity, even express delivery records and information from police reports and criminal cases.
Yet official agencies have remained remarkably silent this week, even as the debate gained momentum online. Chinese state media have not yet reported on the incident. Many, but not all, posts about the leak on Chinese social media have been removed. And the Shanghai authorities have so far not responded publicly.
Representatives from the city police and the Cyberspace Administration of China, the country’s Internet watchdog, also have not responded to faxed requests for comment. A Foreign Ministry spokesman said only that he was not aware of the report on Monday, in an exchange that was left out of the official transcript of the agency’s daily briefing.
“There is no doubt among Chinese citizens that the government collects their data, but the loss of data by criminals is embarrassing for the government,” added Cary.
That silence has given rise to a number of theories about how the breach came about. Some security researchers who spoke to Bloomberg News said the incident may have occurred after a developer accidentally posted access database keys online, a lapse that wouldn’t seem to fully explain the apparent access to a law enforcement network. internal.
Others argued that it is more likely that a cloud service provider, which hosted backup or synchronization for the police database, had been compromised in some way. Alibaba Group Holding Ltd., Tencent Holdings Ltd. and Huawei Technologies Co. are among the largest external cloud services in the country. Representatives from the three firms had no immediate comment on the episode.
If a cloud provider is to blame for the breach, it could hasten a migration of government agencies away from private services, now by far the largest and most popular Internet computing platforms. State-backed cloud providers include smaller rivals like Inspur Ltd. or carriers like China Telecom Corp.
“There are a lot of breaches around the world,” said Shawn Chang, founder and CEO of Hong Kong-based security firm HardenedVault. “But the size of this data breach is rarer because China collects more data from public systems.”
Chinese officials and companies rarely disclose data breaches affecting domestic services, a lack of transparency that coincides with a new emphasis on cybersecurity in Beijing. Major leaks in the past included personal information about dozens of Communist Party officials and industry leaders exposed on Twitter Inc. in 2016 and in 2020, when the Twitter-like service Weibo Corp. acknowledged that hackers claimed to sell information from accounts in more than 538 million users.
It’s common to see personal data offered for sale on Chinese cybercriminal forums, but “the scale and amount of personal data being offered here is unheard of,” said Budi Arief, who researches cybercrime at the Cyber Security Institute for Cybersecurity. Society of the University of Kent.
A growing demand for privacy among the public, as well as concerns about the control of sensitive data for private tech giants, have prompted stricter regulations, including the passage of a personal information protection law in China in 2021. Under that legislation , which encompasses data protection and requires storage within Chinese borders, state entities that fail in their duty to protect sensitive information could incur vague sanctions and remedial action.
But the US and other nations have repeatedly identified China as one of the world’s biggest sources of cybercriminals, who they say infiltrate systems on behalf of national agencies in search of valuable data or intellectual property.
If the information exposed in the latest hack is genuine, hundreds of millions are at risk of identity theft or access to their online accounts.
The extent of the consequences now depends on a number of factors, including who is singled out for the lapse. Public safety agencies, which would normally be responsible for investigating and punishing the breach, cannot escape the blame, said Adam Segal, director of the digital and cyber policy program at the Council on Foreign Relations.
“The Party will likely discipline the MPS and local officials internally, without drawing much public attention,” said Cary of the Krebs Stamos Group. “Alternatively, if the government finds that the breach was really the fault of a private company that maintained the database, that company will likely be fined or singled out for costly inspections by market regulators.”