A Chinese police database that stored information on around a billion Chinese citizens was reportedly left exposed for over a year before a hacker wiped the database and left a ransom message demanding 10 Bitcoin, valued at about $200,000, according to cybersecurity experts who discovered the security breach.
The Wall Street Journal first reported on the breach of police records in Shanghai on Wednesday, citing the cybersecurity experts who uncovered a vulnerability in the database earlier this year. The Shanghai police database stored the names, government ID numbers, phone numbers and incident reports of around a billion people, in a country of around 1.4 billion people total.
The cybersecurity experts said the database itself was stored securely, but a dashboard for accessing the database was set up on a public web address without password protection. This feature reportedly allowed anyone with even basic technical knowledge to infiltrate the database and steal the information.
Bob Diachenko, the owner of the cybersecurity research firm SecurityDiscovery, told the Wall Street Journal that this vulnerability existed in the database from April of 2021 until midway through last month. It was at this time, he said, that the database was wiped clean and Shanghai police discovered a ransom note left behind.
Diachenko shared screenshots of the ransom note with the Wall Street Journal that reads “your_data_is_safe” before advising “contact_for_your_data…recovery10btc.” 10btc or Bitcoin is currently valued at about $204,000.
The ransom amount reportedly matches an amount an anonymous user on a cybercrime forum began asking for last month in exchange for access to a database that the user claimed contained billions of records of Chinese citizens’ information that was stolen from a Shanghai national police database.
Vinny Troia, the founder of dark web intelligence firm Shadowbyte, told the Wall Street Journal that it’s fairly common for those demanding a ransom payment to sell off stolen data online if the victim doesn’t pay up.
Both Troia and Diachenko expressed shock that this much digital data was left vulnerable to hackers.
“That they would leave this much data exposed is insane,” Troia said.
The government in Shanghai and the Cyberspace Administration of China both declined Wall Street Journal requests for comment.
References to the massive data breach on Chinese social media sites are also being censored, according to the Wall Street Journal.
According to the New York Times, the data breach comes as Chinese citizens have increasingly expressed concerns about their privacy and data protection. The publication wrote that if this breach were more widely known in China, it would likely add to the public resistance to data collection efforts by companies and government agencies in China.
The yearlong exposure of the database and the offers to sell the data on cybercrime forums means that unknown numbers of copies of the personal information of nearly a billion Chinese citizens could be on the loose for years.