informa
5 min read
article

Big Questions Remain Around Massive Shanghai Police Data Breach

Why was PII belonging to nearly 1 billion people housed in a single, open database? Why didn't anyone notice it was downloaded?

Questions continue to swirl around a June 30 incident where an unknown individual put up for sale on a popular underground forum a staggering 23TB of personally identifiable information (PII), belonging to some 1 billion people in China. 

And, in the meantime, the database is continuing to cause ripples across the Dark Web.

The dataset was reportedly accessed from an unsecured Shanghai police database hosted on Alibaba's cloud hosting platform. It included names, addresses, birthplaces, phone numbers, national IDs, and criminal records associated with Chinese citizens and even foreign nationals who might have visited Shanghai during the past few years. The database is still available for sale for 20 bitcoins, or roughly $240,000 currently.

The leak is believed to have happened because a dashboard for managing the database was apparently left open to the Internet, without a password, for more than one year. Though the incident represents one of the largest ever compromises of PII to date, news of it has reportedly been largely blacked out in China. 

However, that has not stopped members of the country's prolific hacking community from flocking to the underground forum where the data is available, according to researchers at Cybersixgill who have been tracking the aftermath of the massive breach. There also has been a notable increase in data leaks of Chinese entities that have been shared on the forum since June 30, they noted.

"We anticipate that we will be seeing the reverberations of this breach on the underground for quite some time," predicts Naomi Yusupov, Chinese intelligence analyst at Cybersixgill. She expects that threat actors will try and use the leaked data in social engineering campaigns, in attacks to try and access more data, and in a variety of other malicious ways.

Yusupov also expects the breach to encourage other threat actors to share more data from breaches in China, as has already begun happening. Chinese threat actors appear to be viewing the high asking price for the Shanghai data as an indication that Chinese databases overall are highly valuable. This could encourage more Chinese data leaks, she says.

"The massive uptick in Chinese users active on the forum could increase the communication and knowledge transfer between the Chinese and the English underground," she notes.

More Than Just Another Cloud Misconfig

There have been countless instances where organizations have similarly exposed sensitive data by leaving it in poorly secured, Internet-accessible cloud storage buckets like Amazon's S3 and ElasticSearch buckets. The most recent incident involved 3TB of sensitive data belonging to airport employees in Columbia and Peru that was exposed via a misconfigured Amazon S3 bucket. 

Vendors such as Upguard have reported detecting thousands of such instances in recent years. UpGuard's most notable discoveries on S3 buckets include some 540 million records from multiple Facebook third-party apps, trade secrets belonging to GoDaddy, and 73GB of data belonging to Pocket Inet employees.

What makes the Shanghai breach notable is its sheer scale. By most accounts, it is one of the largest ever known compromises of PII.

"We see breaches like this quite often," says Ray Kelly, fellow at the Synopsys Software Integrity Group. "[But] the staggering volume and breadth of PII that was contained about Chinese citizens and non-citizens alike will certainly raise red flags."

And it's not just the seeming lapse in securing the database alone that's at issue here: "Was it smart to store 1 billion users' PII in one location to begin with?" he asks rhetorically.

John Bambenek, principal threat hunter at Netenrich, says another big question is why nobody noticed 23TB worth of data being downloaded from the cloud database. 

"Aside from backups, I can’t think of any legitimate use case that involves moving an entire dataset like that," he says. 

Often, database administrators set databases to give people read access and rarely have controls to detect when someone might be abusing that access. Even so, "basic network anomaly detection likely could have caught this," Bambenek says.

A Rare Peek

The Shanghai police data compromise is also notable because there have been few instances where a major cybersecurity incident in China has become public knowledge. 

"While China has historically been home to one of the world's largest communities of cybercriminals, domestic Chinese breaches are rarely disclosed because the Chinese government censors media coverage," Cybersixgill's Yusupov says. For instance, major Chinese social media platforms such as Weibo and WeChat both censored news of the Shanghai police database breach.

Even so, there have been other instances where details of breaches within China have trickled to the outside world, Yusupov notes. One example is a 2016 incident in which an anonymous hacker took to Twitter to expose sensitive information related to dozens of Chinese Communist Party officials and Chinese business magnates, such as Alibaba Group founder Jack Ma and real estate tycoon Wang Jianlin of the Dalian Wanda Group.

Other examples include a 2020 incident where a malicious actor stole the data of more than 538 million users and one in May where tens of thousands of apparently hacked files from China's northern Xinjiang region were released, exposing the persecution of the Uyghur ethnic minority there, she says.