More On: China
China could have up to six more 'illegal police stations' in the US and hundreds all around the world
A hacker who claims to have stolen personal information from hundreds of millions of Chinese individuals is now selling it online.
The hacker shared a sample of 750,000 records online, which included residents' names, mobile phone numbers, national ID numbers, residences, birthdays, and police reports.
Some of the citizen data in the sample has been validated as legitimate by AFP and cybersecurity specialists, but the scale of the complete database remains unknown.
The 23-terabyte database, which the hacker claims contains the records of a billion Chinese citizens and was advertised on a forum late last month but only picked up by cybersecurity experts this week, is being sold for 10 bitcoin (approximately $200,000) and is being advertised on a forum late last month.
"It appears to be from many sources. Some appear to be census data, while others look to be face recognition systems "Robert Potter, co-founder of the cybersecurity firm Internet 2.0, stated
"There is no verification of the overall amount of records, and I'm doubtful of the billion-person figure," he continued.
China operates a vast national surveillance system that collects large quantities of data from its population, reportedly for security reasons.
Growing public awareness of data privacy has resulted in tougher data protection legislation targeting people and commercial corporations in recent years, while citizens have little power to prevent the government from collecting their data.
Some of the data appeared to come from express delivery user records, while others comprised summaries of occurrences recorded to Shanghai police over a decade, with the most recent in 2019.
Traffic accidents and petty theft were among the incidents reported, as were rape and domestic abuse.
'Heads will roll,' says one.
At least four of the more than a dozen persons contacted by AFP verified their personal information, such as names and residences, as they were recorded in the database.
"That's why so many people have added my WeChat account in the last few days. Should I contact the authorities?" said a woman called Hao.
"I'm pretty perplexed as to why my personal information was released," added another lady, Liu.
Users hypothesized in response to the initial post that the data was hacked from an Alibaba Cloud server where it was supposedly being held by the Shanghai police.
Potter, the cybersecurity analyst, verified that the files were obtained through a breach of Alibaba Cloud, which did not reply to an AFP request for comment.
If proven, the breach would be one of the greatest in history, as well as a severe violation of China's recently passed data protection rules.
"Heads will roll over this one," said Kendra Schaefer, a technology partner at research firm Trivium China.
A fax seeking response from China's cybersecurity administration was not returned.