THE MOTHER OF ALL DATA LEAKS

Until last week, when a member posting anonymously in a hacker forum offered to sell the data, a sizable online database believed to hold the personal information of up to a billion Chinese individuals had been left unprotected and open to the public. According to cybersecurity experts, the breach could be one of the greatest ever documented, illustrating the dangers of gathering and keeping enormous volumes of sensitive personal data online, particularly in a nation where authorities have open access to such data.

According to LeakIX, a website that finds and indexes online exposed databases, the vast amount of Chinese personal data had been accessible to the public via what appeared to be an unsecured backdoor link since at least April 2021. This link is a shortcut web address that grants full access to anyone who knows it. After an anonymous user posted on a hacker forum last Thursday offering more than 23 terabytes (TB) of data for sale for 10 bitcoin — nearly $200,000 — access to the database, which had no password requirement, was shut down. According to the user, the database was compiled by the Shanghai police. It contained private data on one billion Chinese citizens, including their names, addresses, phone numbers, national ID numbers, ages, and places of birth. It also allegedly contained massive amounts of data of calls made to police to report crimes and civil disputes.

The seller’s post contained a representative of 750,000 records drawn from the database’s three primary indexes. CNN was unable to access the original database, but more than two dozen entries from the seller’s sample were authenticated by CNN.

CNN repeatedly sent written requests to respond to the Shanghai police and administration, but neither responded. The seller also stated that Alibaba Cloud, a Chinese e-commerce juggernaut Alibaba division, had housed the unprotected information. Alibaba informed CNN that it was observant and was looking into it. However, according to experts CNN spoke with, the corporation hosting the data was not at fault; instead, the data’s owner was. According to the current situation, Troy Hunt, a Microsoft regional director located in Australia, “I suppose this would be the greatest leak of public data yet — definitely regarding the magnitude of the effect in China, we’re speaking about most of the population here.”

Given that there are 1.4 billion individuals living in China, the data leak may impact more than 70% of the country’s population. “The genie won’t be able to return to the bottle in this particular instance. There is no turning back once the material is published in the manner in which it currently looks, “Hunt said. The information was made publicly accessible online for at least 14 months. However, how many individuals have visited or downloaded it during that time is unknown. Before the database was forced into the public eye last week, two Western cybersecurity specialists who spoke to CNN knew it existed, indicating that it could be easily found by those who knew where to search. Founder of the dark web intelligence company Shadowbyte and cybersecurity expert Vinny Troia claimed to have come across the dataset “around January” when looking for open databases online. All you need to do to access the website I found it on is signup for an account, according to Troia. He continued, “Any number of persons might have downloaded the data since it was opened in April 2021.”

Troia claimed to have retrieved one of the database’s primary indexes, including details on around 970 million Chinese individuals. According to Troia, it was difficult to determine whether the access was a mistake made by the database’s owners or a deliberate shortcut meant to be used by a select group of users.

He stated, referring to the authorities in charge of the database, “Either they forgot about it, or they purposefully left it open since it is easier for them to access.” “I cannot imagine why they would. It sounds incredibly sloppy.” Cybersecurity analysts claim it is not rare to encounter databases left accessible to the public. Unsecured personal data is a problem that businesses and governments worldwide face more frequently due to leaks, breaches, or other instances of ineptitude.

According to Wired, Troia learned in 2018 that a Florida-based marketing company had exposed nearly 2 TB of data that appeared to include confidential info on hundreds of millions of American adults on a server that was open to the public.

According to Reuters, in 2019, Dutch cybersecurity researcher Victor Gevers discovered an online database that contained the names, national ID numbers, birth dates, and locations of more than 2.5 million people in China’s Xinjiang region. The database had been left unprotected for months by Chinese company SenseNets Technology.

Security experts say the most recent data breach is particularly concerning given the sensitivity of the material it may include and its potentially record-breaking amount. According to a CNN review of the database sample, police files on incidents from over 20 years, from 2001 to 2019, were discovered. While civil issues make up the bulk of the entries, there are records of criminal incidents, from rape to fraud.

In one instance, a Shanghai resident was cited by police in 2018 for allegedly retweeting “reactionary sentiments involving the (Communist) Party, politics, and leaders” while circumnavigating China’s firewall through a virtual private network (VPN). According to another report, a mother reported her father-in-law to the police in 2010 on suspicion of raping her 3-year-old daughter. Hunt, the regional director for Microsoft, stated that “there might be domestic violence, child sexual abuse, all sorts of things in there, which to me is a lot more concerning.”

“Could this result in extortion? Following data breaches, we frequently witness cases of extortion, in which hackers have even tried to hold people for ransom.” Recently, the Chinese government has increased its efforts to strengthen the protection of online user privacy. The nation’s first Personal Information Protection Law, which established guidelines for collecting, using, and storing personal data, was passed last year. Although the law can control technological corporations, experts have expressed worry that it could be challenging to implement when applied to the Chinese government.

Ukrainian-based security researcher Bob Diachenko discovered the database for the first time in April. Midway through June, his business found that the database had been targeted by an unidentified hostile actor. According to Diachenko, he deleted and copied the data and left a ransom note requesting 10 bitcoin to have it recovered. It is unclear if this was created by the same individual who announced the sale of database information last week. According to Diachenko, the ransom letter had vanished by July 1, but only 7 gigabytes (GB) of data were available, not the 23 TB that had been first promised.

Diachenko said it suggested the ransom had been resolved. Still, the database owners had continued to use the exposed database for storing until it was shut down over the weekend. “Maybe there was some junior developer who noticed it and tried to remove the notes before senior management noticed them,” he said.

Shanghai Police did not respond to CNN’s request for comments on the ransom note.

Courtesy Of Kenya Citizen Digital and CNN

Looking for data leak protection services.

At East African Data Handlers we have a Digital Forensics department that deals with data leak protection services.

For assistance call now 0711 051 00 or email info@datarecovery.co.ke