Chinese censors are working overtime to clamp down on news that the data they’ve siphoned from their citizens over the years is apparently out there and is being sold for less than the anticipated cost of a Tesla Roadster.
On Monday, reports showed that a hacker only identified as “ChinaDan” told members of the hacker site Breach Forums that he had acquired 23 terabytes of data on 1 billion Chinese citizens, according to Reuters. It’s data he’s willing to part with for the right price. How much is 1 billion people’s personal data worth? Apparently just 10 bitcoin, or approximately $US200,000 ($277,640).
The post said that the data trove came from a leaked version of the Shanghai National Police database. ChinaDan’s original post included a sample of 250,000 citizens’ info, but that sample size was apparently increased to 750,000. BleepingComputer included an image of the forum post that reads the “Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
The leak has drawn a fair bit of critique and claims that it’s probably exaggerated, especially considering that the total number from this Shanghai police database would be just 400 million shy of the total population of all of China, 1.4 billion.
The Chinese government has not made any official mention about the hack to reporters, in public, or online. Further reports have displayed just how much Beijing doesn’t want its citizens talking about the breach. The Financial Times reported that government censors have taken down posts on Chinese social media that dared even mention the alleged leak.
FT wrote that Weibo, essentially China’s version of Twitter, and WeChat were already censoring any mention of hashtags containing “data leak” or “database breach.” Censors blocked existing posts and even reportedly asked at least one poster with a big follower-base to come in for questioning. The NYT reported that Chinese state media has been mum on news of the hack.
The hacker wrote that the data was taken from cloud computer firm Aliyun which they said hosts the Shanghai police database. Binance CEO Changpeng Zhao wrote on Twitter they detected that the records were for sale on the dark web which was “likely due to a bug in an Elastic Search [sic] deployment by a gov agency.” Zhao further wrote they were “stepping up verifications” for its users whose info were included in the breach.
If true, then it is perhaps the biggest leak of personal data ever. 2022 has already proved a big year for data breaches at multinational companies as well as governments. This also isn’t the first time a bug in an Elasticsearch server resulted in leaked information. A misconfigured server at a Texas-based data firm Ascension Data & Analytics reportedly leaked over 24 million financial and banking records back in 2019.
Gizmodo was unable to determine the authenticity of the post or what data was contained inside the trove, though the New York Times was able to confirm the veracity of the original sample containing 250,000 citizens’ personal information. Reporters called individuals listed in the database who apparently confirmed who they were and any past police reports they apparently filed — which also included whether an individual was labelled a “key person” by public security, making it easier to flag their activities in the country’s broader surveillance state.
The Wall Street Journal also called a few of the names and numbers contained in the broader 750,000 sample, where five of those people also confirmed that data that would be hard to come by if it wasn’t gathered by police. Some numbers the Journal tried were no longer valid, though the reporters noted Chinese citizens often change their numbers.
One man, who went by his surname of Wei, told the Journal after learning about his information being leaked “We are all running naked,” a way of saying that they have no privacy.