Hacker Claims Major Chinese Citizens’ Data Theft

A hacker claiming to have stolen personal data from hundreds of millions of Chinese citizens is now selling the information online.

A sample of 750,000 entries posted online by the hacker showed citizens’ names, mobile phone numbers, national ID numbers, addresses, birthdays and police reports they had filed. 

AFP and cybersecurity experts have verified some of the citizen data in the sample as authentic, but the scope of the entire database is hard to determine.

Advertised on a forum late last month but only picked up by cybersecurity experts this week, the 23-terabyte database — which the hacker claims contains the records of a billion Chinese citizens — is being sold for 10 bitcoin (approximately $200,000).

“It looks like it’s from multiple sources. Some are facial recognition systems, others appear to be census data,” said Robert Potter, co-founder of cybersecurity firm Internet 2.0. 

“There is no verification of the total number of records and I’m sceptical of the one billion citizens number,” he added.

China maintains an extensive nationwide surveillance infrastructure that siphons massive amounts of data from its citizens, ostensibly for security purposes. 

Growing public awareness of data privacy has led to stronger data protection laws targeting individuals and private firms in recent years, although there is little citizens can do to stop the state from collecting their data. 

Some of the leaked data appeared to be from express delivery user records, while other entries contained summaries of incidents reported to police in Shanghai over a span of more than a decade, with the most recent from 2019.

The incident reports ranged from traffic accidents and petty theft to rape and domestic violence.

– ‘Heads will roll’ –

At least four people out of over a dozen contacted by AFP confirmed their personal details, such as names and addresses, as listed in the database.

“So that’s why so many people have been adding my WeChat over the past few days. Should I report this to the police?” said one woman surnamed Hao.

“I’m really confused about why my personal data has been leaked,” said another woman surnamed Liu.

In replies to the original post, users speculated that the data may have been hacked from an Alibaba Cloud server where it was apparently being stored by the Shanghai police. 

Potter, the cybersecurity analyst, confirmed that the files were hacked from Alibaba Cloud, which did not respond to an AFP request for comment.

If confirmed, the breach would be one of the largest in history and a major violation of the recently approved Chinese data protection laws.

“Heads will roll over this one,” tweeted Kendra Schaefer, tech partner at research consultancy Trivium China.

China’s cybersecurity administration did not respond to a fax requesting comment.

Related: New Law Will Help Chinese Government Stockpile Zero-Days

Related: China Mandates Cybersecurity Reviews for Tech Product Acquisitions