One billion Chinese files were likely leaked by sloppiness, not hacking

The global cybersecurity community was set alight this week by the news that data on more than 1 billion people were leaked from a Shanghai police database. The implications could be wide-ranging, yet the most astounding aspect of this case may be the fact that it likely wasn't a hack that caused it, but basic errors in digital hygiene.

The asking price for the database, which includes several billion case records, is just 10 bitcoin ($202,000). This indicates the seller is someone who happened across the data and is being opportunistic rather than a professional hacker motivated by money. A sample of the data posted in an online forum, and viewed by Bloomberg Opinion, shows records of people across China with names, identification and mobile phone numbers, the original source of the data, and a reference to the first time the details were entered into the record. 

Chillingly, the database includes fields referring to express delivery and food-order details. This could imply that this data was compiled by police from multiple sources across the country, beyond what law enforcement typically gathers firsthand. Of course, there may be other explanations for such data, too.

Bloomberg Opinion was unable to independently verify the authenticity of the data, yet numerous posts in that same forum indicate that users have checked it and found it to be real. Shanghai authorities haven't publicly responded to the alleged data breach. Representatives for the city's police and Cyberspace Administration of China, the country's internet overseer, did not respond to requests for comment by Bloomberg News.

Whereas hackers seek to penetrate a computer system, possibly using malware and phishing attacks, this breach seems to be far more straightforward. It appears a software developer may have left an access key visible in an online code repository or in a blog post, according to data posted in public forums and social media, and discussions among people familiar with the case but not directly involved. This key is similar to, but functions differently from a password.

With that key, and a basic understanding of how the database was set up — which wouldn't require inside knowledge — it's likely the information was extracted by accessing a poorly configured server. The consensus in the cybersecurity community leans toward this not being a hack, but an example of sloppiness and poor security practices, though the exact method for obtaining the data hasn't been confirmed. 

The information posted online indicates that the database was run by the Shanghai police, but may have been hosted on a server operated by Alibaba Holding Group Ltd.'s Alicloud. There's no suggestion that Alicloud is responsible for any security vulnerabilities. Alibaba didn't respond to emails and phone calls seeking comment. It's not clear if the person or people who downloaded the data is the same as those selling it. 

Data breaches are notoriously common. From targeted attacks — as in the 2020 Solarwinds hack by Russian agents — to those caused by poor security, like the 2019 case of First American Financial Corp. Yet this Shanghai police incident may end up being one of the largest ever leaks, especially given the depth of information contained.

While there's no evidence that financial details such as credit card numbers are included, investigators are likely to pore over the data to build a picture of modern Chinese society and how the government functions. A previous leak of a Chinese police database formed the foundation for research into how authorities monitor and control the country's Uyghur population. This work was subsequently published by the Australian Strategic Policy Institute and the Intercept. Beijing has repeatedly denied accusations that it represses Uyghurs.

As a greater understanding of this breach comes to light, including what all the fields mean and how they connect to various organisations across China, we're likely to garner an even more-detailed understanding of China's data-collection framework and how it uses information to keep tabs on its people. Yet we shouldn't lose sight of the fact that 1 billion people are now potential victims of yet another digital breach caused by bad security practices.

Tim Culpan is a Bloomberg Opinion columnist covering technology. He previously covered technology for Bloomberg News.

Disclaimer: This article first appeared on Bloomberg, and is published by special syndication arrangement.