China Police Database Was Left Open Online for Over a Year, Enabling Leak
By Karen Hao and Rachel Liang, July 6, 2022, WSJ
What is likely one of history’s largest heists of personal data—and the largest known cybersecurity breach in China—occurred because of a common vulnerability that left the data open for the taking on the internet, say cybersecurity experts who
discovered the security flaw earlier this year.
The Shanghai police records—containing the names, government ID numbers, phone numbers and incident reports of nearly 1 billion Chinese citizens—were stored securely, according to the cybersecurity experts. But a dashboard for managing and accessing
the data was set up on a public web address and left open without a password, which allowed anyone with relatively basic technical knowledge to waltz in and copy or steal the trove of information, they said.
“That they would leave this much data exposed is insane,” said Vinny Troia, founder of dark web intelligence firm Shadowbyte, which scans the web for unsecured databases and found the Shanghai police database in January.
The database stayed exposed for more than a year, from April 2021 through the middle of last month, when its data was suddenly wiped clean and replaced with a ransom note for the Shanghai police to discover, according to Bob Diachenko, owner of the
cybersecurity research firm SecurityDiscovery, which similarly found the database—and later the note—through its periodic web scans earlier this year.
“your_data_is_safe,” the ransom note read, according to screenshots provided by Mr. Diachenko. “contact_for_your_data…recovery10btc,” meaning the data would be returned for 10 bitcoin, roughly $200,000.
The ransom amount matches the price that an anonymous user began asking for last Thursday on an online cybercrime forum in exchange for access to a database the user claimed contained billions of records of Chinese citizens’ information stolen from a
Shanghai national police database.
The post, which began circulating on social media over the weekend, alarmed cybersecurity experts not just for the leak’s size but also because of the sensitivity of the information contained in the government database.
The Shanghai government and the Cyberspace Administration of China, the country’s internet regulator, didn’t respond to requests for comment.
Cybersecurity experts have pieced together new evidence of the database’s authenticity and details of how so much private information could have fallen in the hands of cybercriminals.
The dashboard acted like an open door to the data vault, they say, which wasn’t closed—even after all the data went missing—until the vulnerability began gaining widespread public attention. Whoever stole the data is likely the same entity that is
peddling it, according to Mr. Troia.
“What’s pretty common is if the ransom victim doesn’t pay the ransom, then they’ll try to sell the data off online,” he said.
It couldn’t be determined whether the database was made publicly accessible by accident or on purpose, perhaps to share the data more easily among a few people. Such vulnerabilities are common, Mr. Troia and Mr. Diachenko said, though both said they
were shocked to find an unsecured database of this size.
Both said they also corroborated the anonymous leaker’s claims that it includes over 23 terabytes of data covering as many as a billion individuals. One file named “person_address_label_info_master”—which contains people’s names, birthdays,
addresses, government IDs and ID photos—runs close to 970 million rows long, they said, which suggests it includes details on just as many people, assuming no duplicate entries.
That file marks individuals who have a criminal history, and includes people with traffic violations, those considered fugitives and those who have been accused of rape or homicide. It also includes a label for “people who should be closely monitored,
a designation often used in China’s government surveillance systems to denote people seen as posing a threat to social order.
The data leak highlights what some policy researchers have described as the central contradiction in China’s approach to information security.
In recent years, Beijing has signaled that data security and privacy are a priority, passing a series of laws and regulations designed to restrict commercial collection of sensitive data, including personal information, and keep it within the country’s
borders. At the same time, the government has itself continued to collect vast amounts of data through a nationwide digital surveillance apparatus to exert tighter control over Chinese society.
That the information was leaked from a government agency—and now has an unknown number of copies circulating outside of the country’s borders—could undermine Beijing’s argument that such a system protects national security, some China tech-policy
experts say
“It’s unclear who holds who accountable,” Kendra Schaefer, the head of tech-policy research at Trivium China, a Beijing-based strategic advisory consulting firm, wrote on Twitter in response to the leak. She said it is typically the Ministry of
Public Security, which oversees local police agencies such as the Shanghai police, that is responsible for cybercrime investigations.
The Chinese government hasn’t commented on the data leak, and references to it on Chinese social media are quickly being scrubbed.
Some Chinese-speaking users of Twitter, including the chief executive of cryptocurrency exchange Binance, speculated that the leak stemmed from a 2020 technical blog post published by a user on CSDN, a Chinese developer forum similar to Github, that
appeared to inadvertently include the access credentials to a Shanghai police server.
Mr. Troia and Mr. Diachenko said the database, based on its configuration, in fact didn’t need access credentials at all, making that theory unlikely. The fault was with the person who set up the dashboard, they said.
https://www.wsj.com/articles/china-police-database-was-left-open-online-for-over-a-year-enabling-leak-11657119903
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)