Shanghai police data leak may be a national security concern for China

The sheer volume of the leak, if authenticated, would make the dataset stolen from Shanghai police a goldmine for spy agencies and threat actors worldwide.

Hackers said they had obtained 23 terabytes of data on 1 billion Chinese nationals and several billion case records from police in the major Chinese city. If confirmed, the leak would be one of the largest in history.

According to experts we've spoken to, the dataset includes names, addresses, birthplaces, national ID and mobile numbers, and criminal case details.

While not officially confirmed, data samples included in the post hackers used to announce the leak point to the personal information, which hackers tried to sell in an online marketplace, being accurate. If true, the potential fraud implications are enormous.

"This data would be useful to cybercriminals and other nation-states,"

Dr Chris Pierson, the CEO of cybersecurity firm BlackCloak, told Cybernews.

Fears of retribution

Once the news about the leak broke on China's largest social network Weibo, hashtags and comments associated with it soon started disappearing. These apparent attempts to silence discussion of the matter suggest that Beijing may well understand the implications of the leak all too well.

According to Dr Chris Pierson, the CEO of cybersecurity firm BlackCloak, the leaked information could impact victims from a fraud and crime perspective, cause other issues due to criminal details being released, and affect persons in high-profile, military, or intelligence roles.

"This data would be useful to cybercriminals and other nation-states," Pierson told Cybernews.

The availability of personal information on a large chunk of China's population – estimated at more than 1.4 billion in total – could cause long-term problems such as identity theft and targeted phishing attacks, affecting hundreds of millions of people.

Worryingly, leaked case records covering periods of over 20 years could provide threat actors with the means to seek retribution over criminal cases that resulted in, for example, conviction.

"What is even more concerning is the release of crime/case details, which could expose those individuals to a variety of risks, ranging from extortion to harassment and retribution," Pierson explained.

Phishing season

Since the dataset does not include financial data, account passwords, or medical records, the implications of the leak will likely come to light only over a prolonged period of time, after threat actors have analyzed the data and decided on ways to exploit it.

The worst part with data leaks, of all shapes and sizes, is that once the proverbial genie is out there is no way to put it back in the bottle, according to Alex Hamerstone, advisory solutions director at cybersecurity company TrustedSec.

"Datasets this large also allow for attacks at scale. A phishing or other type of attack generally has a percent of success, and with a larger list of targets the threat actor will likely have more success," Hamerstone explained.

National security concerns

Phishing attacks might harm victims individually, but if the hackers really have managed to grab data on a billion people, Beijing could even be faced with national security concerns.

Adversaries could dig into the data to form sophisticated victim-targeting models, with nation-states employing it to identify high-ranking officials, their familial relationships, and location. This could permit them to zero in on specific people through their connected mobile devices and numbers.

"If the mobile numbers are accurate, this data would be incredibly valuable in targeting specific people for other cybersecurity vulnerabilities and potential exploits," Pierson said.

The post on an online marketplace, announcing the data breach.

A massive blunder

While it's unclear what issue allowed threat actors to obtain the data, hackers selling it claimed the leaked information was stored on Alibaba's private cloud server.

While there may have been an issue with a third-party hosting service provider or misconfiguration of systems, Hamerstone explained that every data operator should be concerned with the safety of datasets that large.

"Just like anything else, there are all kinds of service providers and cloud services, and they are not all secured equally. It is essential when using third parties or cloud services to ensure that they are providing proper security and are reviewed regularly," Hamerstone said.

The success of threat actors in this exfiltration attack suggests a major lapse in cybersecurity.

"The exfiltration of this much sensitive data leads one to conclude that the appropriate detective controls to spot an infiltration were not present, or avoided, and that no comprehensive controls monitoring the egress of data were activated either," Pierson said.