ChinaIndiaSupply ChainsCybersecurityUkraine Invasion

China collects so much information on its citizens that a massive data leak was inevitable, experts say, after a hacker stole the personal data of 1 billion people

July 8, 2022, 9:58 AM UTC
Chinese surveillance collects so much information on citizens that the Shanghai data leak was inevitable.
Nicolas Asfouri—AFP/Getty Images

Last week, when it emerged that a hacker calling himself “China Dan” was offering to auction off the personal information of a billion Chinese citizens for the price of a souped-up Tesla, global data experts were quick to fault the carelessness of the Shanghai police department. But the report highlighted a broader weakness: China is acutely vulnerable to theft of confidential data. The problem isn’t just that data managers at a single municipal agency, albeit a large one, dropped their guard; rather, it’s that Chinese government officials at almost every level now collect such granular details about their countrymen on such a vast scale that efforts to protect that all that information simply can’t keep up.

“The authorities have been building massive personal profiles of citizens, using data that is far beyond what any one platform could possibly collect. This centrally held data then becomes an attractive target,” says Charlie Smith, the pseudonymous founder of the website, which tracks Chinese censorship.

Jyh-An Lee, executive director of the Centre for Legal Innovation and Digital Society at the Chinese University of Hong Kong Faculty of Law, agrees. “The more personal data that you possess and process, the more risks that are involved…I actually thought this would happen sooner or later,” he says.

But Lee says the scale of the leak was shocking, even to him.

Last Thursday, a hacker called ChinaDan posted an advertisement on a hacker forum for a database that claimed to contain 23 terabytes of personal data on 1 billion Chinese citizens. The database contained sensitive personal information including names, addresses, phone numbers, and even birthplaces that experts say could make people vulnerable to phone scams or identity theft.

The hacker released a small portion of the database publicly, and CNN and the Wall Street Journal later verified a few dozen of the 750,000 entries that the hacker included. But the database had reportedly been floating on the dark web for over a year before the hacker put it for sale on the forum.

Tom Kelly, CEO of consumer privacy firm IDX, says the hack appears to have happened owing to the “careless” mistake of one Chinese government employee. “Someone inadvertently left a web portal unprotected, and accessing the database was as simple as scraping log-in information from the portal,” says Kelly. “Hackers are always looking for entry points, and all it takes is one wrong move and they’ll pounce.”

China’s government has barely acknowledged that the hack occurred at all and has censored news and social media posts about the data breach on China’s internet. But Lee says internally the hack may have served as a wake-up call for the government to take data security practices more seriously.

“This might be the first time a large-scale data breach has come from the government sector [in China],” says Lee. “So I don’t think that they were fully aware of this issue…and I think they are learning a lesson from this incident.”

On Thursday, at a cabinet meeting with China’s top government officials, vice premier Li Keqiang said that China’s government needed to better protect its citizens’ data, without referencing the hack.

“[China’s government should] improve security management provisions, raise protection abilities, protect personal information, privacy, and commercial confidentiality in accordance with the law,” Li said, according to a readout of the meeting from China’s state-run news service Xinhua.

But it may be difficult for China’s vast government bureaucracy to implement Li’s orders given competing objectives to surveil and monitor citizens and to collect as much data as possible.

Consultant and author Michael Frick says that the Ministry of Public Security (MPS), China’s national law enforcement agency that oversees the Shanghai police department where the leak originated, is China’s “most secretive and least scrutinized” government agency. The MPS may also be China’s most “data hungry” department, he says.

The MPS runs a nationwide surveillance network that includes facial recognition cameras that can track the identity of citizens as they walk down a street and collates numerous other digital and biological data points, via phone scanners and fingerprint databases, to build individual profiles of Chinese citizens.

The leak also puts the MPS in an awkward position because China’s government tasks the ministry with enforcing some cybersecurity laws, says Camille Boullenois, senior research analyst at Rhodium Group.

“The MPS is one of the agencies responsible for regulating cybersecurity in China, but it’s also the agency from which the leak occurred,” she says. “It will be a very good test case for how willing Beijing is to hold government agencies accountable for the protection of citizens’ data.”

China’s government has experience, at least, holding to account private sector companies, which operate under strict data security rules, adds Smith.

“China realized early on how private internet companies were using personal data, and they put in place measures that protect users. In many ways, laws in China are far more advanced than laws in the West when it comes to this issue,” Smith says.

On Nov. 1, 2021, China passed the country’s most sweeping data protection measures yet, implementing the Personal Information Protection Law to ensure a new level of consumer data privacy rights to China’s 1.4 billion citizens.

“Only the private sector is subject to that kind of personal data protection, but I think that concept is now changing…from this data breach incident,” says Lee.

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.