New Alleged Data Breach in Shanghai, Data Privacy Issues

New Alleged Data Breach in Shanghai, Data Privacy Issues

On June 30, 2022, it was reported that a data breach occurred in the city of Shanghai, China which is alleged to have one of the largest to have ever occurred in world history. More specifically, a hacker named “China Dan” created a post on an online forum effectively advertising the sale of over sale 23 TB  of personal data for 10 bitcoin, which amounts to roughly $200,0000. While the details concerning the event have still not been completely substantiated, the information that “China Dan” was seeking to sell has reportedly been obtained from a breach that was levied against the Shanghai Municipal Police, which is alleged to have included the personal information of more than 1 billion people.

In terms of the forms of personal information that “China Dan” has offered to sell, it has been alleged that the pilfered data includes phone numbers, names, street addresses, age and gender information, and unique 18-digit Citizen Identity Numbers. While large-scale data breach incidents are by no means a new occurrence, be it in China or in any other major industrial country around the world, the personal information of more than 1 billion people being accessed and disclosed in an unauthorized manner is undoubtedly a concerning development from virtually any perspective. As data protection and personal privacy continues to be a global issue, the recent breach that was alleged to have occurred in Shanghai last month has been very embarrassing for citizens and businesses within the country alike.

Data collection practices in China

While data collection practices are largely unregulated in much of the developed world, safe from EU nations that must adhere to the provisions of the GDPR, among other pertinent legislation, the sheer amount of personal data that the Chinese government collects from its citizens has led to a great level of concern within the country. On top of this, the sheer number of people that reside and use the internet within the nation creates an environment where a data breach of an enormous magnitude was all but inevitable. For context, the Chinese government requires citizens of the nation to complete real-name registration before taking advantage of certain products and services, including SIM cards for use in smartphones, as well as online platforms such as Alibaba.

The real culprit in the alleged data breach, however, are the various law enforcement agencies that serve residents within the country, as authorities within China are permitted to collect a wide range of personal information about citizens. These forms of personal data include but are not limited to the DNA of individuals to their social media accounts, as China is currently the largest surveillance state in the world. To his point, Comparitech, a U.S.-based pro-consumer website, has reported that China contains 8 of the most surveilled and monitored cities in the world, as government officials have installed everything from basic security cameras to cutting-edge facial recognition software programs across a large swath of the nation.

The Exit and Entry Administration Law

On top of this, China also enacted the Exit and Entry Administration Law in 2013, which mandates that all foreign visitors to the country register with the police state in their local jurisdiction within 24 hours of arriving in the country. Subsequently, while the sheer number of people that have been affected by the alleged data breach that the Shanghai Municipal Police has not been confirmed, on the whole, the hacker “China Dan” also uploaded three sample folders containing personal information for prospective buyers, which contained 750,000 police database entries. Among these database entries, it was confirmed that up to 55 U.S. citizens also had their personal information stolen, in addition to hundreds of Chinese residents.

An alleged previous data leak

To make matters worse, there were also claims made on the leak intelligence website LeakIX that allege that personal information had been stolen from the Shanghai Municipal Police as early as April of 2021. As stated by Bob Diachenko, founder of cybersecurity research firm Security Discovery, “his company was concerned about the exposure of this set of data in April this year, and no password was set until the database was hacked in June.” While the notion that the million of more than 1 billion people being hacked during a data breach is already troublesome enough, the idea that such information had already been made accessible to the general public for more than a year prior has added an additional layer of worry and distress for residents of China.

Despite the alleged data breach that the Shanghai Municipal Police experienced over the course of the last year and a half, the nation of China enacted the Personal Information Protection Law (PIPL) on November 1, 2021. While China has already passed various laws pertaining to personal data privacy, including China’s Personal Information Security Specification, as well as China’s Cybersecurity Law, the PIPL represents the first comprehensive data protection law to be passed within the nation. With all this being said, the manner in which this newfound legislation will work to curtail future data and security breaches remains to be seen, as the prospect of protecting the data of individuals grows more and more challenging with each passing year.