China got a taste of its own medicine when it suffered the biggest ever recorded online database leak. Personal information of nearly a billion Chinese citizens was found lying unsecure online for nearly a year.
The shocking incident came to light when an unknown user in a hacker forum informed the world that he found the data lying free for anyone to hack or misuse. Significantly, in the last couple of years, it was China that was accused by the West of sensitive data theft.
Cyber experts say this is a warning to the Chinese government that there are high risks involved in storing such huge amounts of people’s data online.
As news of the unsecure online data spread across the world, anxiety of Chinese citizens grew over how the government would ensure that their data remains safe now.
The CNN reported: “The vast trove of Chinese personal data had been publicly accessible via what appeared to be an unsecured backdoor link — a shortcut web address that offers unrestricted access to anyone with knowledge of it — since at least April 2021, according to LeakIX, a site that detects and indexes exposed databases online. Access to the database, which did not require a password, was shut down after an anonymous user advertised the more than 23 terabytes (TB) of data for sale for 10 bitcoin — roughly $200,000 — in a post on a hacker forum.”
According to the person who disclosed the information, it was allegedly the Shanghai police who collated the data and it “contained sensitive information on one billion Chinese nationals, including their names, addresses, mobile numbers, national ID numbers, ages and birthplaces, as well as billions of records of phone calls made to police to report on civil disputes and crimes”.
CNN tried to access the original database but reported it could not do so. However, it did manage to verify some entries the seller provided. The seller’s post had included the sample of 750,000 data entries “from the three main indexes of the database”.
Another allegation, made by the seller, is that the unsecured database was “hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba” but the company only said, “we are looking into this”.
In a country with 1.4 billion people, the breach of the data means that private information related to nearly 70 per cent of the population may be at risk. Experts told the western media that “it is unclear how many people have accessed or downloaded the database during the 14 months or more it was left publicly available online”.
CNN contacted experts in cyber security who were aware of the data leak. One of them, “Vinny Troia, a cyber security researcher and founder of dark web intelligence firm Shadowbyte, said he first discovered the database ‘around January’ while searching for open databases online”.
Troia was quoted as saying: “The site that I found it on is public, anybody (could) access it, all you have to do is register for an account. Since it was opened in April 2021, any number of people could have downloaded the data. Troia revealed he “downloaded one of the main indexes of the database, which appears to contain information on nearly 970 million Chinese citizens”.
The biggest question begging the answer is how did this happen? China is so secretive and has so many checks and balances in its security systems and yet how come nobody in the government and the data monitoring agencies detect this unsecure data? Or wee they aware of it but did not do anything about it. Nobody knows as the government is not talking. What needs to be probed first is why did the data have open access in the first place.
Troia referred to the authorities responsible for the data base when he said: “Either they forgot about it, or they intentionally left it open because it’s easier for them to access.”
The rest of the world is not actually shocked at the revelation. The thing new is that it happened in secretive China. Otherwise, there are many such incidents in the past. As billions of data particles enter the ether, there is enough scope for a portion of the data being rendered insecure and open to hackers because of indifference, incompetence or espionage.
One of the biggest data leaks in the US came to light in 2018 when a marketing firm in Florida exposed “close to 2 TB of data that appeared to include personal information on hundreds of millions of American adults on a publicly accessible server”.
The following year, China was in the news when a European cyber security expert
“found an online database containing names, national ID numbers, birth dates and location data of more than 2.5 million people in China’s far-western region of Xinjiang, which was left unprotected for months by Chinese firm SenseNets Technology”.
A Reuters report said the data leak expose was widely discussed on Chinese social media sites spreading the alarm across the country. Within a few hours, the hashtag “data leak” was reported blocked on the Weibo platform. That suggests how sensitive the Chinese government is to the news that it does not want the news to spread and fuel people’s anxiety or even turn it into unrest.
The expose will come as a dampener for President Xi Jinping who is clearly of the view that big data is the key to governing a massive population of 1.4 billion people. A Xinhua report only recently quoted the president talking about data at a conference: “It is necessary to safeguard the country’s data security, protect personal information and business secrets, and promote the efficient circulation and use of data so as to empower the real economy.”
Given the excessive Chinese spending on surveillance and mass data collection, and the Chinese Communist Party’s obsession with control, the data leak comes as a shocker.