A hacker operating under the name ChinaDan claims to have stolen over 23 terabytes of data from Shanghai National Police (SHGA) databases. The dataset includes personal information on more than 1 billion Chinese nationals and several billion case records.
The dataset, which spans several individual databases, is being offered for sale on hacking forums for 10 bitcoins – approximately $197,000. The data includes personal information such as names, addresses, telephone numbers, national ID numbers, and details of criminal records. A sample of data that included around 750,000 police records was shared by ChinaDan to allow potential buyers to verify the data is legitimate.
According to ChinaDan, the data was obtained from a local private cloud (Alibaba Cloud) that was part of the Chinese Police Network. Exposures of sensitive data over the Internet are commonplace and are mostly due to misconfigurations of cloud services. In this case, the private cloud appears to have been accessed using stolen credentials.
According to Binance CEO Zhao Changpeng, a developer who worked for the Chinese government had posted on a tech blog on CSDN, but accidentally included credentials that allowed the databases to be accessed.
At this stage, it has not been possible to verify the number of affected individuals but based on checks of the data performed so far, individuals whose information is present in the database have confirmed that all data is correct. Karen Hao of the Wall Street Journal made contact with five people whose data was present in the sample and all verified the data was correct.
If the data breach is confirmed – neither the Shanghai government nor police department responded to requests for comment by Reuters – this data breach will be one of the largest in history, and arguably the most serious data breach to affect China.