Claims of the largest cyberattack in Chinese history have sparked an open debate about the extent to which Beijing hoovers up personal data and uses private firms to safeguard that trove, a discussion that could have ramifications for the broader technology industry in China.
If verified, the purported theft of 23TB of personal information on as many as a billion Chinese citizens from a Shanghai police database would rank as the country’ largest ever known data breach, if not one of the biggest leaks the world has seen. The allegations that emerged over the weekend have set tech circles buzzing and prompted rare public comment from high-profile industry figures such as Binance co-founder Zhao Changpeng.
Questions remain about how the unknown hackers apparently gained access to the trove run by the Ministry of Public Security’s Shanghai branch, which according to online posts included data detailing user activity from most popular Chinese apps, addresses, and phone numbers. A seller had asked for 10 Bitcoin, worth around $200,000, in exchange for the data.
Many forensic experts agreed there were significant security lapses. To researchers who have examined the underlying source code and database samples, the breadth of the purported data underscores not only the staggering scale of government data collection in the People’s Republic of China but also the numerous risks in how that information is managed.
“The PRC government is likely in crisis mode right now,” said Dakota Cary, a consultant with the Washington-based Krebs Stamos Group. “It seems obvious to ask why Shanghai MPS needed access to all this data, but this is the exact system of surveillance and detail about individuals that the government wants.”
Chinese President Xi Jinping has long identified data as key for governing and driving the country of 1.4 billion. Beijing is pouring money into digital infrastructure, rolling out new laws and building data centers to position China as a leader in the digital economy. The Shanghai breach may become an embarrassment for Xi as he tries to secure a precedent-breaking third term as president later this year.
“It is necessary to safeguard the country’s data security, protect personal information and business secrets, and promote the efficient circulation and use of data so as to empower the real economy,” Xi stressed in a meeting with a top government body less than two weeks ago, according to a readout from the official Xinhua News Agency.
Yet official agencies have remained noticeably silent this week even as the debate gained momentum online. Chinese state media have yet to report on the incident. Many -- but not all -- posts about the leak on Chinese social media have been removed. And the Shanghai authorities have so far not publicly responded.
Representatives for the city’s police and Cyberspace Administration of China, the country’s internet overseer, also haven’t responded to faxed requests for comment. A Foreign Ministry spokesman said only that he was not aware of the report Monday, in an exchange that was left off the official transcript for the agency’s daily briefing.
“There’s no doubt among Chinese citizens that the government does collect their data, but the loss of it to criminals is embarrassing for the government,” Cary added.
That silence has given rise to a number of theories on how the breach took place. Some security researchers who spoke with Bloomberg News said the incident may have occurred after a developer accidentally posted access database keys online, a lapse that wouldn’t seem to fully explain apparent access to an internal police network.
Others argued it’s more likely a cloud service provider, which hosted backups or synchronization for the police database, was somehow compromised.
If blame falls on a cloud provider for the breach, it could accelerate a migration by government agencies away from private services, now by far the largest and most popular internet computing platforms.
“There are a lot of breaches all over the world,” said Shawn Chang, founder and CEO of Hong Kong-based security firm HardenedVault. “But the size of this data breach is more rare because China collects more data from public systems.”
Chinese officials and companies rarely disclose data breaches affecting domestic services, a lack of transparency that coincides with a new emphasis on cybersecurity from Beijing.
A growing demand for privacy among the public as well as concerns around the control of sensitive data for private tech giants have fueled stronger regulations, including China’s passing of a personal information protection law in 2021. Under that legislation, which encompasses data protection and requires storage within Chinese borders, state entities that fail in their duties to protect sensitive information could incur sanctions and vague corrective measures.
But the US and other nations have repeatedly identified China as one of the world’s biggest sources of cybercriminals, which they say infiltrate systems on behalf of domestic agencies in search of valuable data or intellectual property.
(Bloomberg)
File Photo
