To protect sensitive data, China’s government has built one of the world’s strictest cybersecurity and data-protection regimes. Despite those efforts, a thriving cross-border underground market has grown up around the trade in the data of Chinese citizens.
Much of that data comes from another of the Chinese government’s big security projects: its extensive surveillance network.
Earlier this month, an anonymous user on a popular online cybercrime forum put up for sale data of an estimated 1 billion Chinese citizens that was stolen from the Shanghai police. The heist was one of the largest in history and included particularly sensitive data, such as government ID numbers, criminal records, and detailed case summaries such as allegations of rape and domestic abuse.
The Wall Street Journal has since found dozens more Chinese databases offered for sale, and occasionally free, in online cybercrime forums and Telegram communities with thousands of subscribers. Four of the stolen caches contained data likely taken from government sources, according to a Journal review, while several others were advertised as containing government data.
Tens of thousands more databases in China remain exposed on the internet with no security, totaling over 700 terabytes of data, the largest volume of any country, according to LeakIX, a service which tracks such databases.
The Ministry of Public Security, Cyberspace Administration of China and Shanghai government didn’t respond to requests for comment.
All countries struggle to keep their data protected. The U.S. is second to China with nearly 540 terabytes of data left open on the public internet, LeakIX’s analysis shows. China is unique, however, for the comprehensive and sensitive nature of its exposed data—a consequence of the way it centralizes multiple streams of information from government and corporate sources on state-run surveillance platforms.
Amassing so much data in a single place inherently increases the risk it will escape into the wild, according to cybersecurity experts. One weak or stolen password, successful phishing attempt or disgruntled employee “can cause the whole system to come down,” says
founder of dark web intelligence firm Shadowbyte, which scans the web for unsecured databases.
Now that vulnerability is undermining Beijing’s efforts to keep the country’s data from being exploited by bad actors, according to
a leading China cyber policy expert at New America, a Washington, D.C. think tank.
The Chinese government has considered protection of the country’s data a national security priority since 2013, when former NSA contractor Edward Snowden revealed that the U.S. government had hacked its way deep into the Chinese internet’s backbone. The revelation jolted senior Beijing officials, including newly appointed president
who moved swiftly to lock down the country’s cyberspace, already home to more than half a billion Chinese internet users.
Over the next few years, as hundreds of millions more citizens came online, Chinese authorities also discovered rampant problems with domestic data security. Underground brokers fed a lucrative trade in personal information, much of it stolen from government computer networks, which fed public outrage as telephone scammers exploited it to cheat victims out of vast sums of money.
In 2021, China’s government passed a personal information protection law modeled on the European Union’s data rules—considered among the world’s strictest—which put tight limits on the collection and cross-border transfer of personal data. It was the capstone on an elaborate structure of new data-protection regulations that also included a sweeping Cybersecurity Law passed in 2017 to stop sensitive Chinese data from leaving the country.
At the same time, Mr. Xi presided over the construction of a massive digital surveillance state that combined biometric tools such as facial recognition with ID numbers and large quantities of behavioral data harvested by tech companies. Increasingly, this data has been collected and analyzed on centralized platforms, which Chinese authorities use to sniff out, or even predict, actions they consider threatening to social order.
Shanghai was among the first cities to unveil a fully integrated data platform with AI capabilities in 2019. The platform pulls in data from various government functions such as public security, public healthcare and transportation, as well as from private companies offering express and food delivery, according to a state-media interview with a Shanghai police department director.
“Data is like sea water, the more we drink the thirstier we are,” said
the director of the Shanghai Public Security Bureau technology office, in describing the government’s need for such a platform to state-owned media in 2018.
The risks of indulging the government’s large thirst for data became apparent late last month, when billions of records of Shanghai police data turned up for sale in an online cybercrime forum.
Shanghai’s government and police didn’t respond to requests for comment.
That heist helped shine a spotlight on the troves of Chinese data being offered for sale on a loose network of online forums and channels on the chat app Telegram.
Within days after the user began hawking the database stolen from Shanghai police for the equivalent of $200,000, advertisements for all or parts of the data began appearing all over the network in various forms. Meanwhile, several other posts sprung up in the original forum offering similar data at lower prices.
One, advertising the same database, put the price tag at $100,000. Another, from a user claiming to be a police officer from central China’s Henan province inspired by the Shanghai theft, offered the personal information of 90 million people for one bitcoin, or roughly $20,000.
A third post promoted an alleged nine million records from China’s Center for Disease Control for $2,000. A few days later, a fourth popped up selling 40,000 records of Chinese citizens’ names, phone numbers, addresses, and government ID numbers for $500.
A Journal analysis of the data samples provided in each post found they likely came from distinct data sources and contained several authentic entries. Like the Shanghai police leak, many metastasized through the Telegram channels, one of which offered even more deals on data from banks, delivery companies and public security bureaus, such as citizens’ ID numbers, household registration records, social benefit accounts, contact information and even facial-recognition records.
The Henan police and China’s CDC didn’t respond to requests for comment.
The underground marketplace also revealed myriad ways in which Chinese data is pilfered.
The Shanghai database, for example, was connected to an online dashboard that was left open on the public internet without a password for more than a year, according to cybersecurity experts who say such a vulnerability is common.
The sellers of two of the caches of state-collected data analyzed by the Journal said they acquired their data from company and government employees. State employees are especially easy to find through official government rosters and easy to bribe, said one seller, who operates on Telegram under a handle that means “poison” in Chinese.
“Their monthly salaries are only so much money,” the seller said. “If they give us just one database, they’ll have enough income for several years.”
China’s challenge is compounded because its data-security rules are new and unevenly enforced, especially when it comes to limiting the government’s own activities, according to China tech policy watchers.
But having so much data openly for sale on the internet is exactly the sort of national-security threat the government was hoping to avoid, they say.
Government surveillance databases inherently include sensitive information that allow foreign intelligence officers to understand a person’s pressure points or country’s vulnerabilities, said
director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
The Chinese government hasn’t publicly commented on the Shanghai leak, and references to it on Chinese social media are being scrubbed.
Days after it drew widespread international attention, Shanghai authorities announced a cybersecurity review of key websites and platforms belonging to government agencies, state-owned companies, big tech firms and other entities.
While the theft of Shanghai’s police data should serve as a wake-up call to China’s leaders, New America’s Ms. Sacks said, they are unlikely to stop cherry-picking which rules to apply to themselves.
“Why on earth would the government restrict its own ability to collect data?” she says.
Write to Karen Hao at firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8