A hacker is offering to sell a gigantic Shanghai police database that he says contains sensitive information on around one billion Chinese residents – including their names, addresses, birthdates, and crime and case reports.
The hacker, who goes by the name “ChinaDan”, says that the database also contains photos used in official documents or captured by facial recognition systems.
If the claim is true, it would amount to one of the largest data breaches in history, especially given the nature and extent of the personal information. The asking price for the database is 10 bitcoin – worth around £169,000 at the time of publication.
“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many [terabytes] of data and information on Billions of Chinese citizen,” ChinaDan posted on Breach Forums, a hacking forum.
“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
Some information posted as a sample appeared to be correct – the Wall Street Journal and AFP contacted some of those included in the sample, who verified sensitive personal information.
Chinese authorities have not publicly commented on the breach. Search terms relating to it, including “data leak”, were censored on Chinese social media.
China’s first COVID-19 vaccine mandate to be introduced in Beijing
Crew abandons sinking ship that snapped in half after being hit by deadly typhoon in South China Sea
John Lee is Hong Kong’s new chief executive – who is he and why are pro-democracy activists concerned?
The Chinese government routinely collects a dizzying array of data on its own citizens, such as when they take train and plane rides or check into hotels, and CCTV coverage is in some places ubiquitous. Beijing police said as far back as 2015 that “every corner” of the city was covered by video surveillance. Many of those cameras have facial recognition capabilities.
In November last year, China introduced the country’s first comprehensive data privacy law, placing stricter restrictions on what companies were permitted to do with user data, and how they must store it.
However, that law regulated private companies’ access to data, rather than government and police databases.
The scale of the data leak would put it among the largest in history. In 2013, Yahoo stated that all of its three billion accounts had been hacked – thought to be the biggest breach in history, although the personal information stolen was less sensitive than the Shanghai police leak, if true.