Shanghai Cyberattack Exposes Dangers of China’s Data Trove
Claims of the largest cyberattack in Chinese history have sparked an open debate about the extent to which Beijing hoovers up personal data.
Claims of the largest cyberattack in Chinese history have sparked an open debate about the extent to which Beijing hoovers up personal data and uses private firms to safeguard that trove, a discussion that could have ramifications for the broader technology industry in China.
If verified, the purported theft of 23 terabytes of personal information on as many as a billion Chinese citizens from a Shanghai police database would rank as the country' largest ever known data breach, if not one of the biggest leaks the world has seen. The allegations that emerged over the weekend have set tech circles buzzing and prompted rare public comment from high-profile industry figures such as Binance co-founder Zhao Changpeng.
Questions remain about how the unknown hackers apparently gained access to the trove run by the Ministry of Public Security's Shanghai branch, which according to online posts included data detailing user activity from most popular Chinese apps, addresses, and phone numbers. A seller had asked for 10 Bitcoin, worth around $200,000, in exchange for the data.
Many forensic experts agreed there were significant security lapses. To researchers who have examined the underlying source code and database samples, the breadth of the purported data underscores not only the staggering scale of government data collection in the People's Republic of China but also the numerous risks in how that information is managed.
“The PRC government is likely in crisis mode right now,” said Dakota Cary, a consultant with the Washington-based Krebs Stamos Group. “It seems obvious to ask why Shanghai MPS needed access to all this data, but this is the exact system of surveillance and detail about individuals that the government wants.”
Chinese President Xi Jinping has long identified data as key for governing and driving the country of 1.4 billion. Beijing is pouring money into digital infrastructure, rolling out new laws and building data centers to position China as a leader in the digital economy. The Shanghai breach may become an embarrassment for Xi as he tries to secure a precedent-breaking third term as president later this year.
“It is necessary to safeguard the country's data security, protect personal information and business secrets, and promote the efficient circulation and use of data so as to empower the real economy,” Xi stressed in a meeting with a top government body less than two weeks ago, according to a readout from the official Xinhua News Agency.
China has pioneered new forms of near-constant surveillance and mass data collection on its citizens, a nationwide apparatus that has expanded as Beijing tries to track and prevent the spread of virus cases as part of its Covid Zero strategy. A Bloomberg News analysis of a sample published by the alleged hackers reveals information from names, mobile numbers and addresses to education levels, ethnicity -- even logs of express deliveries and information from police reports and criminal cases.
Yet official agencies have remained noticeably silent this week even as the debate gained momentum online. Chinese state media have yet to report on the incident. Many -- but not all -- posts about the leak on Chinese social media have been removed. And the Shanghai authorities have so far not publicly responded.
Representatives for the city's police and Cyberspace Administration of China, the country's internet overseer, also haven't responded to faxed requests for comment. A Foreign Ministry spokesman said only that he was not aware of the report Monday, in an exchange that was left off the official transcript for the agency's daily briefing.
“There's no doubt among Chinese citizens that the government does collect their data, but the loss of it to criminals is embarrassing for the government,” Cary added.
That silence has given rise to a number of theories on how the breach took place. Some security researchers who spoke with Bloomberg News said the incident may have occurred after a developer accidentally posted access database keys online, a lapse that wouldn't seem to fully explain apparent access to an internal police network.
Others argued it's more likely a cloud service provider, which hosted backups or synchronization for the police database, was somehow compromised. Alibaba Group Holding Ltd., Tencent Holdings Ltd. and Huawei Technologies Co. are among the country's biggest external cloud services. Representatives for the three firms didn't have immediate comment on the episode.
If blame falls on a cloud provider for the breach, it could accelerate a migration by government agencies away from private services, now by far the largest and most popular internet computing platforms. State-backed cloud providers include smaller rivals like Inspur Ltd. or carriers such as China Telecom Corp.
“There are a lot of breaches all over the world,” said Shawn Chang, founder and CEO of Hong Kong-based security firm HardenedVault. “But the size of this data breach is more rare because China collects more data from public systems.”
Chinese officials and companies rarely disclose data breaches affecting domestic services, a lack of transparency that coincides with a new emphasis on cybersecurity from Beijing. Major leaks in the past have included personal information on dozens of Communist Party officials and industry leaders exposed on Twitter Inc. in 2016 and in 2020, when the Twitter-like service Weibo Corp. acknowledged hackers were claiming to sell account information on more than 538 million users.
It's common to see personal data offered for sale on Chinese cybercriminal forums but the “scale and amount of personal data being offered here is unheard-of,” said Budi Arief, who researches cybercrime at the University of Kent's Institute for Cyber Security for Society.
A growing demand for privacy among the public as well as concerns around the control of sensitive data for private tech giants have fueled stronger regulations, including China's passing of a personal information protection law in 2021. Under that legislation, which encompasses data protection and requires storage within Chinese borders, state entities that fail in their duties to protect sensitive information could incur sanctions and vague corrective measures.
But the US and other nations have repeatedly identified China as one of the world's biggest sources of cybercriminals, which they say infiltrate systems on behalf of domestic agencies in search of valuable data or intellectual property.
If the information exposed in the latest hack is genuine, hundreds of millions risk identity theft or access to their online accounts.
The extent of the fallout now depends on a number of factors, including who's fingered for the lapse. The public security agencies, which would ordinarily be responsible for investigating and punishing the breach, may not escape blame, said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations.
“The Party will likely discipline MPS and local officials internally, without drawing much public attention,” said Cary, of Krebs Stamos Group. “Alternatively, if the government does find that the breach was truly the fault of a private firm that maintained the database, that company will likely be fined or targeted by market regulators for costly inspections.”