Hacker offers to sell Chinese police database over potential hack

The hacker has put up for sale a database of the Shanghai police, which may contain information about about one billion Chinese citizens.

Although it was not possible to immediately verify the extent of the leak, which the hacker reported in a forum post that included terabytes of information about a billion Chinese, The New York Times was able to verify parts of a sample of 750,000 hacker entries. published to confirm the accuracy of the data.

An unknown individual or group is selling the data for 10 bitcoins, or about $200,000.

The Chinese government has been hard at work in recent years to tighten controls on the leaky industry that has fueled internet scams. However, technology companies have often been the focus of this enforcement. The government itself, which has long struggled to properly protect the data it collects about citizens, is often exempt from the strict rules and penalties against Internet companies.

In the past, when smaller leaks have been reported by so-called white hat hackers looking for and reporting vulnerabilities, Chinese regulators have warned local authorities to better protect data. Even so, it was difficult to enforce discipline. With the police leading one of the world’s most invasive surveillance devices, the responsibility for protecting collected data often falls to local officials who have little experience in data security. As a result, problems remain with databases remaining open to the public or being made vulnerable by relatively lax security measures.

Despite this, the public in China often expresses confidence in how the authorities handle data and generally sees private companies as less trustworthy. Government leaks are often heavily censored. Ever since the news of the Shanghai police break-in broke and went viral on the internet, it has mostly been censored. Chinese state media did not report on the news.

Although it was possible to check the samples provided by the hacker, it has not been established whether it contains as much data as claimed.

However, the released samples seem to be real. One sample contained the personal information of 250,000 Chinese citizens, including name, gender, address, national identification number, and year of birth. In some cases, even the profession, marital status, ethnicity, level of education and whether a person has a label “key person“The Ministry of Public Security of the country managed to detect.

Another set of samples included police case records, which included recorded crime records as well as personal information such as phone numbers and IDs. The cases date from 1997 to 2019. The other sample contained what appeared to be partial mobile phone numbers and addresses of individuals.

When a Times reporter gave the phone numbers of people whose information was in a sample of police records, four people confirmed the details. The four others who answered the phone confirmed their names before hanging up. None of those interviewed said they had previously known about the data breach.

In one case, the data included a man’s name and said that in 2019 he reported a scam to police in which he paid about $400 for cigarettes that turned out to be moldy. The person contacted by phone confirmed all the details described in the leaked data.

The Shanghai Public Security Bureau repeatedly refused to answer questions about the hacker’s statement. On Tuesday, numerous calls to the China Cyber ​​Security Administration went unanswered.

On Chinese social networks such as Weibo and the communication app WeChat, posts, articles and hashtags about the data breach have been removed. On Weibo, the accounts of users who posted or shared related information were blocked, and others who spoke about it said online that they were asked to visit the police station for a chat.