Hacker Offers to Sell Chinese Police Database in Potential Breach

Last year, for example, Beijing cracked down on Didi, China’s equivalent of Uber, after its listing effort on the New York Stock Exchange, citing the risk that sensitive personal information could be exposed. But when local authorities in the Chinese province of Henan misused data from a Covid-19 app to block protesters last month, officials were largely spared from severe penalties.

When smaller leaks have been reported by so-called white-hat hackers, who search out and report vulnerabilities, Chinese regulators have warned local authorities to better protect the data. Even so, ensuring discipline has been difficult, with the responsibility to protect the data often falling on local officials who have little experience overseeing data security.

Despite this, the public in China often expresses confidence in authorities’ handling of data and typically considers private companies less trustworthy. Government leaks are often censored. News of the Shanghai police breach has also been mostly censored, with China’s state-run media not reporting it.

“In this Shanghai police case, who is supposed to investigate it?” said Ms. Wang of Human Rights Watch. “It’s the Shanghai police itself.”

In the hacker’s online post, samples of the Shanghai database were provided. In one sample, the personal information of 250,000 Chinese citizens — such as name, sex, address, government-issued ID number and birth year — was included. In some cases, the individuals’ profession, marital status, ethnicity and education level, along with whether the person was labeled a “key person” by the country’s public security ministry, could also be found.

Article source: https://www.nytimes.com/2022/07/05/business/china-police-data-breach.html