The record-breaking leak, if confirmed, would show that Chinese organizations deal with the same security issues as the West does.
Reports show that most ransomware gangs focus on organizations in the US, UK, EU, Australia, or Canada, and therefore it’s easy to view countries in the Western hemisphere as more susceptible to attacks.
However, the recent data leak from the Shanghai National Police (SHGA) serves as a reminder that similar security issues persist throughout the globe. If confirmed, the SHGA leak would become the largest of its kind ever, flooding the dark web with data on a billion people.
According to Andrew Hollister, CSO at security intelligence company LogRhythm, almost all organizations that experienced a data breach have some sort of cybersecurity program in place, and there is no reason to assume that the situation is any different in China.
"In general, it tells us that they suffer from the same problems as the rest of the world. [...] Almost every organization on the planet that has been breached has some sort of cybersecurity program, and there is no reason to assume that it is any different in China,"Andrew Hollister, CSO at security intelligence company LogRhythm, said.
What would it take for the leak to be verified, apart from confirmation from the Shanghai police?
A data breach of some kind has taken place, but it’s difficult to verify the exact extent. Some data has been shared with media outlets, but confirmation apart from the Chinese authorities would only be possible in the form of a review of the full dataset.
Given information constraints on how the leak happened, what’s your ‘best guess scenario’ on how threat actors managed to get hold of such an immense amount of data?
There have been several theories, but the latest information appears to point to a misconfiguration of a cloud-provided service, leaving the data freely available to anyone who could find and download it. Most breaches start with either phishing or compromise of remote access services, but we’ve seen many examples worldwide of insecure configurations, and services that are entirely unsecured or using default credentials.
What does a leak of this magnitude say about cybersecurity practices in the Shanghai police? Do you think it’s possible all of the sensitive data was stored on a single database?
In general, it tells us that they suffer from the same problems as the rest of the world. Success in cybersecurity starts with basics such as strong password hygiene, multi-factor authentication, securing external facing services, and ensuring that highly sensitive personally identifiable information is properly protected. Almost every organization on the planet that has been breached has some sort of cybersecurity program, and there is no reason to assume that it is any different in China.
If the reports of an unsecured or misconfigured cloud service are true, this is something that is commonly seen and speaks to the importance of understanding the services you are consuming. According to an IBM report, one of the most common initial attack vectors was cloud misconfigurations at 15% of breaches. This shows that cloud providers have a responsibility to deliver services that are secure by default, or at least make it easy to choose the secure option and flag potentially insecure configurations.
Since China is known to have massive surveillance of its citizens, it would not be surprising if all the data was contained within one system or a single repository.
Mentions of the leak were censored on Chinese social media networks. What does that say about China’s attitude towards accountability for cybersecurity incidents?
Social media networks seem to be routinely censored in China, so I don’t think this tells us much. However, it does lend some additional credence to the breach claims.
The authorities have been emphasizing the importance of cybersecurity and have made efforts to make corporate organizations take data privacy seriously, but I don’t think we can imply much about the attitude of the Chinese from the social media actions.
While they haven’t spoken to this breach directly, state-sponsored media have commented on government meetings addressing information security and data privacy in general terms.
Do you think the leak might have national security implications for China? Do you believe nation-states are going through the data to collect information on persons in high-profile military, or intelligence roles?
We don’t know enough details about the context of the breach to make any assessment of this. The assumption would be that a breach of that size would contain information on high-profile individuals, but whether the police are permitted to capture and store information about those individuals is another question altogether. Nevertheless, the potential for this certainly remains an interesting prospect that I feel nation-states outside of China would have great interest in.
Beyond that, the scope for impersonation and fraud using personal details is huge, as is the possibility for blackmail and revenge. Therefore, the inclusion of criminal records or even cases that didn’t result in a conviction on the database must also be of great concern.
What lasting effect will the leak, if confirmed, have on the cybersecurity landscape in China?
China did implement new data privacy laws, including the Personal Information Protection Law and the Data Security Law last year, which were applicable to private companies, but I believe not to the government. Whether there will be moves to extend that to government entities, or if they will implement other measures is unknown. Regardless, this must be causing the authorities there to take a good hard look at the cybersecurity posture of their government departments.
There are some signs of other breaches coming to light since this one, but it’s not confirmed if that is because there have been more, or that some previously unknown breaches are now being reported and criminals are trying to make money from them.
More from Cybernews:
Subscribe to our newsletter