"In a big potential breach, a hacker offers to sell a Chinese police database" 6 July 2022

In what may be one of the largest known breaches of Chinese personal data, a hacker has offered to sale a Shanghai police database that could contain information on perhaps one billion Chinese citizens.

The unidentified hacker, who goes by the name ChinaDan, posted in an online forum last week that the database for sale included terabytes of information on a billion Chinese. The scale of the leak could not be verified. The New York Times confirmed parts of a sample of 750,000 records that the hacker released to prove the authenticity of the data.

The hacker, who joined the online forum last month, is selling the data for 10 Bitcoin, or about $200,000. The individual or group did not provide details on how the data was obtained. The Times reached out to the hacker via an email on the post, though it could not be delivered as the address seemed to be incorrect.

The hacker’s offer of the Shanghai police database highlights a dichotomy in China: Although the country has been at the forefront of collecting masses of information on its citizens, it has been less successful in securing and safeguarding that data.
China’s government has worked to tighten controls over a leaky data industry that has fed internet fraud. Yet the focus of the enforcement has often centered on tech companies, while authorities appear to be exempt from strict rules and penalties aimed at securing information at internet firms.

Yaqiu Wang, a senior China researcher at Human Rights Watch, said if the government doesn’t protect its citizens’ data, there are no consequences. In Chinese law, “there is vague language about state data handlers having responsibility to ensure the security of the data. But ultimately, there is no mechanism to hold government agencies responsible for a data leak,” she said.

Last year, for example, Beijing cracked down on Didi, China’s equivalent of Uber, after its listing effort on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in the Chinese province of Henan misused data from a Covid-19 app to block protesters last month, officials were largely spared from severe penalties. [...]