Cybercriminals found a way into a Shanghai National Police database, in the largest exploit of personal information in the country’s history.
Residents of China are reeling today from the news that a cybersecurity breach led to over a billion people’s personal information being made available to hackers. The sensitive data came from a Shanghai National Police (SHGA) database that was left unsecured in what is the largest cybersecurity gap in the country’s history.
The nature of the exploit was discovered on July 5, when a cybercriminal, going by the username ChinaDan, was offered access to the massive amount of Chinese citizens’ information on a web forum for the sum of $200,000, or 10 Bitcoin.
On the forum, the hacker wrote: “In 2022, the SHGA database was leaked. This database contains many TB of data and information on Billions of Chinese citizen [sic]. Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
According to cybersecurity experts, the data located on the SHGA server was securely stored, until an adversary arranged a gateway, allowing for the server’s firewall to be breached. According to the New York Times, the gateway to the SHGA database was not password protected.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The scope of the security breach
The attack is believed to have taken place due to unsecured servers of the SHGA, leading to the vulnerability of the sensitive information. Chinese authorities are known to collect massive amounts of data on their citizens through various means by tracking their movements, their social media posts and even going as far as to log the DNA of some of its citizens.
This amount of personal information available for anyone to see may seem overwhelming to those in the western world, but in China both the propensity for unsecured servers and the amount of sensitive data collected is nothing new. Several citizens according to the New York Times report said they were undaunted by the prospect of their information being made available online.
The breach of the SHGA is not the only database to have security issues, as a separate anonymous poster offered to sell data relating to another police database, this time in Henan, which houses over 90 million people.
It remains to be seen which individual or group claims responsibility for the attack, but an extensive amount of information on Shanghai’s citizens is on the internet for potential purchase.