While it was not possible to immediately verify the scale of the leak, which the hacker said in a forum post contained terabytes of information on a billion Chinese people, The New York Times was able to verify parts of a sample of the hacker’s 750,000 records. released to prove the authenticity of the data. The unknown person or group sells the data for 10 Bitcoins, or about $200,000. In recent years, China’s government has worked hard to tighten controls on a leaky industry that has fueled online fraud. However, the focus of this enforcement has often been on technology companies. The government itself, which has long struggled to adequately protect the trove of data it collects on citizens, is often exempt from strict rules and penalties aimed at Internet companies. In the past, when smaller leaks were reported by so-called white-hat hackers who looked for and reported vulnerabilities, Chinese regulators warned local authorities to better protect data. Even so, ensuring discipline was difficult. With the police presiding over one of the world’s most invasive surveillance devices, the responsibility for protecting the data collected often falls to local officials who have little experience overseeing data security. As a result, there are still problems where databases remain open to the public or become vulnerable due to relatively weak safeguards. Despite this, the public in China often expresses confidence in the authorities’ handling of data and usually views private companies as less trustworthy. Government leaks are often tightly censored. Since news of the Shanghai police breach emerged and went viral online, it has been mostly censored. Chinese state media have not reported on the news. Although it was possible to verify the samples provided by the hacker, it has not been ascertained whether it contains as much data as claimed. Even so, the released samples appear to be real. One sample contained personal information of 250,000 Chinese citizens, including name, gender, address, government-issued ID number and year of birth. In some cases, even the profession, marital status, nationality, educational level and whether the person has been designated as a “key person” by the country’s Ministry of Public Security can be found. Another set of samples included police case files, which included records of reported crimes as well as personal information such as phone numbers and IDs. The cases ranged from 1997 to 2019. The other sample set contained information that appeared to be some cell phone numbers and addresses of individuals. When a Times reporter called the phone numbers of people whose information was in the police records sample data, four people confirmed the details. Four others who answered the phone confirmed their names before hanging up. None of the people contacted said they had prior knowledge of the data breach. In one case, the data provided a man’s name and said that, in 2019, he reported to police a scam in which he paid about $400 for cigarettes that turned out to be moldy. The person, reached over the phone, confirmed all the details outlined in the leaked details. Shanghai’s public security bureau has repeatedly declined to answer questions about the hacker’s claim. Multiple calls to the Cybersecurity Administration of China went unanswered Tuesday. On Chinese social media platforms such as Weibo and the communication app WeChat, posts, articles and hashtags related to the data leak have been removed. On Weibo, the accounts of users who posted or shared related information have been suspended, and others who spoke out said online they were asked to visit the police station for a chat.
