ITP Techblog

A 23-terabyte cache of data allegedly containing the details of one billion Chinese citizens has been offered for sale on the dark web.

That’s according to Changpeng “CZ” Zhao, the chief executive of cryptocurrency exchange Binance who took to Twitter yesterday to express his alarm at the scale of the data being offered for sale on the hacker forum Breach Forums, for US$200,000, the equivalent of ten bitcoins.

“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizens,” a post from the anonymous hacker ChinaDan read.

“Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details,” the hacker added.

In the last day, security experts have downloaded samples of the data, finding they include names, addresses, birthplaces, national IDs, phone numbers and even criminal case information for Chinese citizens. Journalists have also authenticated samples of the data, even calling some of the phone numbers featured in the examples given. 

While the Chinese Communist Party is yet to confirm the hacking attack, Binance’s Zhao pointed to how the exploit occurred - via a bug in a government agency’s software that was using an “Elasticsearch” algorithm. Zhao expressed his concern that Chinese citizens who use Binance faced the risk of their hacked data being used to attempt to access their cryptocurrency accounts.

If that is indeed the case, it raises serious questions about the integrity of China’s central systems for managing digital records on its citizens. China has gradually been building extensive digital case files on each citizen as it builds out a social credit system aimed at encouraging good behaviour and discouraging crime and antisocial behaviour.

ElasticSearch - a stretch too far?

ElasticSearch is a commonly used open-source tool offering the ability to search massive sets of data quickly. It is used all over the world by businesses as well as public agencies to serve up results in a sort of Google search engine for private data searches.

The hack of the Shanghai National Police database allegedly occurred on an instance of ElasticSearch hosted on the cloud platform of a subsidiary of Alibaba that was being used by the Shanghai police.

This isn’t the first time that Elasticsearch has been fingered as the cause of a major data breach in China. In 2019, an apparently publicly accessible and unsecured ElasticSearch server belonging to the Jiangsu Provincial Public Security Department of the Chinese province Jiangsu leaked two databases containing over 90 million people and business records.

If the latest data leak is as extensive as the hacker claims, it could be the largest data breach in history. The question now is how upfront the Chinese Government will be with affected citizens, particularly given the data allegedly includes details of criminal convictions.

The Guardian reported that the hashtag “Shanghai data leak” was blocked by the Chinese social media platform Weibo on Sunday as users discussed the claims about the data breach.

There will be a lot to unpack about the details of this breach in the coming days and the integrity of government systems that allow universal search across billions of records. China’s strategy of building a massive database on its citizens will now receive more scrutiny than ever before.