The data included names, national identification and phone numbers, medical records, details from police reports and other information. Though the authenticity of the full database had not been confirmed, The Post’s review of some ID numbers appeared to track with information found on a government website.
The alleged hackers said there were several billion case reports — from thefts to fights to domestic violence, dated from the late 1990s to 2019 — and the records of 1 billion Chinese citizens. If authenticated, the database would cover more than 70 percent of China’s 1.4 billion percent of residents. The personal information and reported incidents were contained in separate files.
Despite the scope, the government were blocking victims from learning about the leak. On Weibo, a widely used Twitter-like platform in China, a keyword search for “data leak” or “Shanghai police database” failed to return any results related to the breach. One affected individual, in an interview with The Post, confirmed details of the record associated with them but had not known about the leak.
Analysis: Here are four big questions about the massive Shanghai police leak
The breach came after China’s Personal Information Protection Law took effect last year, which imposed stringent security safeguards on corporate and government entities that handle personal information. The law was passed after Chinese regulators ordered more than 40 companies to change their operations for violating data transfer rules, Reuters reported.
Kendra Schaefer, the head of tech policy research at China-focused research team Trivium China, said in a Twitter post Monday that the incident was the first major public breach by a government body under the new law. “So it’s unclear who holds who accountable,” she said. The Ministry of Public Security (MSP) would typically oversee cybercrime investigations.
“The records also allegedly contain details on case files of minors,” Schaefer said. “So that would be a violation of the Minor Protection Law.” She raised the possibility that the data contained information of celebrities or officials.
In the released sample data set, certain information was associated with individuals listed under the “seven categories of key people,” a reference to individuals monitored by MSP for suspected criminal activity.
State departments, the Shanghai government and the Shanghai police department did not respond to requests for comment.
However, it’s also possible the files had been online before the law became effective — it only received public attention after the alleged hacker released it online. Cybersecurity researcher Vinny Troia told CNN that he was made aware of the database in January on a public site, which was opened in April 2021, meaning anyone could have accessed the database since then.
There’s also speculation government staff accidentally included the credentials necessary to access the database in a blog post on the Chinese Software Developer Network, a forum for developers to share code. Changpeng Zhao, the chief executive of the cryptocurrency exchange Binance, referenced the theory in a tweet on Monday. He said that the company had “already stepped up verifications” for users who were potentially affected.
The unnamed poster claimed that the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers affiliated with big tech companies, like AliCloud, typically built the digital infrastructure for government agencies.
Alibaba Group did not respond to the request for comment.
But Shawn Chang, the chief executive of security solution provider HardenedVault found the theory unconvincing. “Shanghai is a city [with] 250 million population. AliCloud is unlikely [to use] one key for the whole police system,” he said. He added that the breach could be elsewhere, such as with centralized key management services that failed to go through the authentication process.
Web security consultant Troy Hunt said that the anonymity of the person who offered the sale, as well as the size of the database, raised questions over its accuracy. The solicitation of a large payout also raises the possibility the claim has been exaggerated or falsified, he added.
But the data was also strong “because it is a very unique class of information,” Hunt said. Unlike self-reported names and phone numbers while filling out a form online — which were seen in other data breaches — it was police reports that “would only really be in one place.”
It’s no secret that government entities in China have poorly managed data systems. “The problem with Chinese government is that they collect all citizens’ data on public service platforms, which had serious consequences once the data was leaked,” Chang said. “Anywhere you go, you have to submit your information. But there is not a systematic way to manage those data. Private companies are also bad at managing data, but are better than the government.”
Earlier this year, a researcher obtained a cache of documents from Xinjiang Police, which detailed draconian surveillance and reeducation practices in the region and shed lights on Beijing’s crackdown on the Uyghur population.