Chinese policemen patrol the bund area in Shanghai, June 1, 2022.
Ng Han Guan/AP/File photo
If confirmed, China may have just experienced one of the largest data breaches in history. An anonymous hacker named "ChinaDan" is offering up information taken from the Shanghai police on as many as 1 billion Chinese citizens.
The price tag for the supposed trove is 10 bitcoins, or $200,000.
The information is said to have been left unsecured and publicly accessible for more than a year, and access to the database did not require a password.
Zeyi Yang, a China reporter with MIT Technology Review, looked at some of the data and spoke from New York with The World's host Marco Werman about the situation.
Marco Werman: What do we know so far about this digital information? What's in it?
Zeyi Yang: So, the hacker has released a sample data set. And among those data sets are people's addresses, crime records, police card records. This is a lot of information that only something like the Chinese government would get from you. We know that a lot of companies out there are collecting our information. That's the same in China. A lot of tech companies, consumer companies, they are collecting information. But there are also things that only the Chinese government or the police would have. Like your police cards, your unique identity number, which is similar to a social security number that we have here.
How significant is this breach?
Well, it's very big. First of all, China has about 1.4 billion people. So, this covers over half of China, which is a lot. And also, according to the information we have right now, like the sample datasets that the hacker released, this information is quite authentic, actually. People can verify the numbers with their names, with their addresses. And so, if this whole data set is completely authentic, this will be probably the most historically significant data breach.
So, what would it mean if data of even a fraction of these 1 billion people was acquired by someone for the price tag of $200,000? What would they actually do with it?
Right. So, one thing we need to be clear about is that it's not about like hacking into your personal account and doing things with your account or your credit card information. It's more about having your information and then using it, most likely, in telecommunication fraud. Because in China, telecommunication fraud is pretty prevalent. And there have already been cases where people buy personal information and use that to trick you into giving up more information. So, this is, right now, the biggest concern, that if crime organizations can afford this bid on nationals' information, they can basically use that to have their own database and use it to trick people, to scam people.
How is this story being reported in China and what are people saying about it?
Well right now, we are suspecting that the Chinese government has forbidden people from talking about it. We are seeing some of the social media censors. They are working to scrap these conversations. And that's not very surprising because it does paint the government in a bad picture, and usually, the government avoids those kind of conversations online. But right now, we have not seen any kind of accountability responses. We have not seen how the government addresses this or are going to guard this information better in the future, none of those yet.
So, what are the implications of this data breach for cybersecurity in China?
I think it does start a new conversation about government responsibility in securing these databases. Because in the past few years, China has some new legislation about data security, there has been a lot of conversation about how private companies collect too much information and don't store them security. That's something people are already worried about and people are already asking for more accountability. But so far, discussions about how the government stores the data has kind of assumed that the government has the resources and has the technology to secure them very well. But this data breach just shows us that that's actually not always the case because all of this data is managed by local governments. They may not have the best security practices to make sure citizen data cannot leak to the public. We can expect maybe there will be more discussion in the cybersecurity field about what the government should do to protect their databases because they probably have much more than any private company has.