China premier stresses data security after alleged leak

Premier Li Keqiang stressed the importance of information security at a State Council meeting on Wednesday, a message that has taken on new urgency in the wake of an alleged data leak of 1 billion Chinese residents.

Chinese government bodies must “defend information security … to protect personal information, privacy and confidential corporate information” so people can feel secure when submitting data for certain public services, according to a statement summarising the cabinet meeting.

The statement did not mention specific security issues or the alleged data leak.

The main topic of the meeting was “digital government development”, a general term referring to Beijing’s plan to leverage technologies like big data and artificial intelligence for social governance and public services. The line about security did not come until the end of the statement, but securing data has become an increasingly important priority for the government, especially since the enactment of two related laws last year.

Li’s comments come after a data set allegedly containing the information of 1 billion Chinese residents appeared last week on the hacker community Breach Forum. The poster, using the handle “ChinaDan”, said the data included names, addresses, identification numbers and mobile phone numbers. The person was charging 10 bitcoin, or about US$200,000, for the full data set.

In the forum post, the data was said to be taken from a database managed by Shanghai police. If confirmed, the leak could be the largest-ever personal data security breach in the country.

Forum administrators have since removed the post. The South China Morning Post was unable to verify the authenticity of the data, and no government officials in China have responded to the alleged leak. When reached by phone, Shanghai police did not respond to a request for comment.

Cybersecurity experts told The Wall Street Journal that the data was exposed to the web through a dashboard used to access that data without a password. They said the total size of the information came in at 23 terabytes, corroborating claims from the original post.

The size of the alleged hack has triggered concerns about its implications at a time when China’s state apparatus is collecting huge swathes of data from its citizens for social surveillance and governance.

After the claimed leak, Chinese social media platforms sprang into action, censoring related content.

The information could be “the largest data leak of its kind in China”, causing a “permanent negative experience”, said Zhao Xuan, a cybersecurity lawyer at Beijing Bairui Law Firm.

“China has 1.4 billion people. The seller claimed to include the data of 1 billion, and considering it was leaked from the police database, the quantity and quality of the data could be quite high,” Zhao added.

A sample data set in the form of three JavaScript Object Notation-format files containing 560 megabytes of information included fields for names, birth dates, addresses, mobile phone numbers, personal identification numbers, photos, and even ethnicities.

At the same time, a number of users have questioned the authenticity of the leak.

“Seems like an advanced scam,” a person going by the name “Victim” responded to the post on the forum, adding that the domain used in the URLs for photos in the database redirects to a UK-based domain registration site. Another user on Twitter argued that the sample sets could have been cobbled together from previously available semi-public data.

The case highlights problems facing data security in China even as the central government has sought to enhance protections for personal information over the past year. Last November, the Personal Information Protection Law took effect, giving China some of the world’s toughest rules for personal data security by placing restrictions on how data on internet users can be collected, used and managed.

The law is set to make it significantly harder and more expensive for tech firms in China to access and use consumer information, with a broad impact that is being compared to the implementation of the European Union’s General Data Protection Regulation.

Zhao said those responsible for the leak and hacking could be charged under China’s criminal law, which would include charges for infringing on citizens’ personal information and illegally accessing computer information systems.

Chinese authorities have previously said the country is a consistent target of overseas hackers. Northwestern Polytechnical University, one of the country’s top schools for national defence research, said in a statement last month that it was the target of a cyberattack from overseas hackers.

At home, the country is also subject to constant data leaks and has a rampant underground market for personal information. In 2020 alone, China investigated 560,000 cases of cybercrime and arrested over 80,000 suspects, including 13,000 suspects involved in personal information infringement and another 2,975 suspects involved in hacking, according to the Ministry of Public Security.

As the latest alleged data leak picked up steam online, Tencent Holdings and Weibo started censoring related posts. One commentary on Tencent’s WeChat that claimed the leak will bring “permanent, implacable influences” disappeared soon after being published. On Weibo, a microblogging platform, related content under the topic “Shanghai national police database” was cleared out.

Data leaks are becoming a bigger issue for countries around the world. Earlier this year, the personal data of 22.5 million Malaysian citizens – including full names, ID numbers, photos, home addresses and phone numbers – were stolen from government servers and sold on the dark web for a reported price of US$10,000. Soon after, Malaysian computer security experts discovered a website offering access to a wide range of personal data on the country’s citizens. South China Morning Post