New Data Breach in China Exposes Faces and License Plates

New Data Breach in China Exposes Faces and License Plates

While data breaches involving facial recognition software are relatively rare within many parts of the world, due in large part to the limited use of such technologies worldwide, the nation of China is unique in that the country’s government has implemented facial recognition technology on a level and scale that is very much unprecedented. For instance, conservative estimates posit that the Republic of China has currently installed more than 600 million individual facial recognition cameras around the country, while others have estimated that this number is potentially higher. To this point, China’s use of facial recognition technology comprises a wide range of applications, including everything from large-scale surveillance systems that are administered by the country’s police forces to individual cameras that are present within small rural towns.

However, this prevalence of facial recognition technology also means that there are databases that contain millions of images of the faces of Chinese citizens, as well as the corresponding license plates for the multitude of automobiles that these citizens drive. With all this being said, it was announced on August 30, 2022, that “a tech company called Xinai Electronics based in Hangzhou on China’s east coast” had sustained a security breach that resulted in the personally identifiable information of millions of Chinese citizens being disclosed to the general public in a manner that was unauthorized. This is in spite of the fact that Xinai Electronics has claimed that the various forms of personal data were being protected via the company’s secure servers.

Data security concerns

On the contrary, there has been strong evidence to suggest that Xinai Electronics had essentially been failing to safeguard the personal data of the various customers they served on a daily basis. More specifically, security researcher Anurag Sen uncovered that he was able to access the company’s exposed database via an Alibaba-hosted server within China. As stated by Sen, “the database contained an alarming amount of information that was rapidly growing by the day and included hundreds of millions of records and full web addresses of image files hosted on several domains owned by Xinai. But neither the database nor the hosted image files were protected by passwords and could be accessed from the web browser by anyone who knew where to look.”

As it concerns the content of this data, reports have claimed that the personal information that was disclosed included links to high-resolution images of individual faces, license plates that were captured by Xinai cameras within parking garages, and resident ID numbers, in addition to other common forms of personal data such as first and last names, age, and sex. What’s more, it has also been reported that this information was available to the general public for several months, as Xinai Electronics had failed to inform Chinese consumers of the breach prior to the exposure of the incident to the world’s major media platforms in August of 2022.

China’s Personal Information Protection Law

On top of this, China recently enacted the Personal Information Protection Law (PIPL) in November of 2021, the first comprehensive data protection law to be passed within the nation to date. As one of the many data privacy laws to be influenced by the EU’s General Data Protection Regulation (GDPR) in recent years, the PIPL serves to protect the personal data and privacy of Chinese citizens. Nonetheless, many of the police and government agencies that make up the national surveillance infrastructure are exempt from many of the provisions of the law. To this end, while it remains to be seen whether Xinai Electronics will ultimately be charged for violating the provisions of the PIPL, many of the other organizations within China that also maintain substantial databases containing personal information may have very well been excluded from punishment altogether.

To illustrate this point further, a breach of the Shanghai Municipal Police’s enormous database in June of this year also resulted in the personal information of millions of Chinese citizens becoming compromised. However, due to the obvious role that the Shanghai Municipal Police plays in the governance of the city at large, the consequences that the organization has faced as a result of the breach have been minimal at best, despite the fact that the breach has been described as potentially the largest and most far-reaching to have ever occurred in history, as it has been suggested that the breach impacted more than 1 billion people around the world.

Due to the massive leaps that have been made with regard to technology such as artificial intelligence in the past fifteen years, there are a number of products and services that are currently available to the general public that had previously been thought to be impractical or unfeasible. Nevertheless, these newfound technologies also have the potential to infringe on the data privacy rights of citizens around the world, as the string of major data breaches that are reported to have occurred in the nation of China clearly highlights. Because of this, businesses and organizations around the globe will have to begin taking additional measures to protect the data of the customers they serve, lest they face longstanding consequences.