Security warning after sale of stolen Chinese data

Xi JinpingGetty Images

President Xi Jinping has urged public bodies to “defend information security” after a hacker offered to sell stolen data of one billion Chinese citizens.

In an advert on a criminal forum, later removed, the user said the data was stolen from Shanghai National Police.

The hacker claims the information includes names, addresses, National ID numbers and mobile phone numbers.

Cyber-security experts have verified that at least some of a small sample of the data offered is real.

The 23 terabytes of data is thought to be the largest ever sale of data on record and was being offered for $200,000 (£166,000) until the post was removed on Friday.

No Chinese officials have responded to the news and President Xi did not make direct reference to the data sale.

But, according to the South China Morning Post, the president has asked public bodies in China to “defend information security… to protect personal information, privacy and confidential corporate information” to ensure people feel secure when submitting data for public services.

On Friday, the moderators of the website where the sale was listed – by a user called ChinaDan – posted a notice which read: “Dear Chinese users, welcome to our forum. You most likely came here because of the Shanghai police database leak. The data is no longer being sold, and posts related to this topic have been deleted.”

The website administrators then added that they have many other similar and high quality Chinese databases for sale, adding: “We are not in China and we are not Chinese, so we do not have to obey Chinese laws.”

According to DarkTracer, which monitors cyber criminal activity, another hacker – perhaps inspired by the publicity surrounding ChinaDan’s offer – posted an advert on Tuesday for 90 million Chinese citizen records, which the hacker claims to have stolen from Henan National Police (HNGA). None of that data has been verified.

“It remains unclear exactly why the data has been withdrawn,” Toby Lewis, global head of threat analysis at Darktrace said.

“The original offer of sale suggests that the hacker was looking to sell the data to several buyers without exclusivity, rather than just one.

“So one theory is that for a high enough price exclusivity could have been bought, and that kind of purchase could possibly have been made by the Chinese state itself.”

Post on hacker forums about the data sale

Mr Lewis believes the leaked information could have been a major concern for Chinese authorities which reportedly blocked discussions of the sale on Chinese social networks shortly after it was advertised.

Deb Leary, CEO of Forensic Pathways, also believes the data may have been sold to a high bidder, but adds: “It’s interesting, and not unexpected, that the hacker forum used the incident as a way to promote themselves as a go-to place for stolen data.

“They don’t seem to be worried about angering the Chinese authorities.”

Legitimate data

In April a popular hacking website called Raid Forums was seized and shut down in an international police operation led by the FBI.

The site’s Portuguese founder, and a British man based in Croydon, were arrested.

Large data sets such as the Chinese cache can be used by hackers to send impersonation emails and other malicious attacks to trick people into handing over cash to criminals.

But now the data has disappeared it may never be possible to verify it.

Another theory is that the data and ChinaDan could have been discovered to be fake by the website administrators.

However Louise Ferrett, Threat Analyst at Searchlight Security, thinks the data could well be genuine.

“There are indications that the data on sale was legitimate. Firstly, the source of the data has been reported by some security teams as human error on the part of a government developer,” she said.

The BBC is not responsible for the content of external sites.View original tweet on Twitter

“Secondly, multiple sources have confirmed that the sample data that the seller, known as ChinaDan, provided was legitimate.

“This doesn’t necessarily mean the entire database was real but these two elements combined do certainly make it more likely,” said Mrs Ferrett.


Leave a Reply

Skip to toolbar