THE REPORTED BREACH of the Shanghai police database is — at the very least — an embarrassment to China’s cybersecurity services but could have more serious ramifications.
According to Bloomberg, unidentified cybercriminals stole 23 terabytes of data, including personal and criminal case information of more than 1 billion citizens. An anonymous poster on the Dark Web using the handle ‘ChinaDan’ claimed to have stolen the data trove from the Shanghai National Police database and offered it for sale for 10 bitcoin ($197,00 at current depressed crypto prices).
Authorities have thus far disclosed no information on how the most extensive known hack of Chinese data happened or who might have executed it. We may never know, even if the official investigation reveals a vulnerability at the Shanghai police’s cloud services provider, almost certainly a Chinese big-tech firm. Alibaba, Tencent and Huawei are China’s leading cloud services providers.
Early speculation by outside cybersecurity experts is that there was a bug or misdeployment of the distributed search and analytics engine widely used by cloud services. Tighter regulation or rectification of cloud-service providers would hint at where authorities believe the cause of the hack to have been. So, too would be demotions, or worse, of police personnel or other members of the security apparatus.
One reason that the hack is so embarrassing for the Chinese government. Another is that it is now implementing a strict data privacy and protection regime under the umbrella Data Security Law and Personal Information Protection Law enacted last year and the earlier Cybersecurity Law. The trio imposes stringent data privacy obligations on all businesses regarding personal and non-personal data while giving state agencies extensive leeway over collecting and processing such data.
Internationally, the leaking of data files on Xinjiang haves had reputational and sanctions consequences for China. The scale of this breach will again expose Beijing to scrutiny over the extent of state surveillance.
Should reports escape the censors (the hashtag #dataleak has been blocked on Weibo), some Chinese may ask themselves not just why authorities hold so much personal data but why police in a city of 28 million have data on more than 1 billion people. However, police are a national force under the Ministry of Public Security, and the hacker(s) may have accessed the ministry’s records via the Shanghai police database. Yet that, in turn, reminds how interconnected China’s internal security systems are.