China, as a country is said to be among the most obsessed nations, with a Communist Regime, of its Cyber Security and Cyber Breach Consciousness. The Sense of Security is visible by the means the country adopts, in terms of the Digital Surveillance on its citizens, the Deployment of The Great Firewall, The Great Cannon, etc. The country was recently exposed to a last week, in which an anonymous internet user, identified as “ChinaDan”, posted on hacker forum Breach Forums, that he is in possession of sensitive data of China and that he offers to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000. “ChinaDan” claimed to have stolen the database from Shanghai’s police department, stored in Alibaba’s cloud, containing information—including names, phone numbers, national id numbers and case details—of approximately 1bn people. ChinaDan was willing to sell the data. To prove authenticity, the hacker released a data set containing 750,000 records.
The user earlier had claimed that the database was collated by the Shanghai police and was stored by them on Alibaba’s cloud. Although details of the breach remain scarce, portions of the data have been verified as authentic, suggesting at least some of the data is real. The breach, if authentic, raises questions about the vast scale of China’s surveillance state, the largest and most expansive in the world, and Beijing’s ability to keep that data secure.
The methodology adopted by the hacker and how the data reached the hands of an underground seller, his/their motive, is yet to be ascertained. But experts say that the database’s credentials were inadvertently published as part of a technical blog post on a Chinese developer site in 2020, this may have happened due to some misconfiguration and inadvertent exposure by human error since April 2021 before it was discovered, may have led to this situation.
The data that is made available by the hacker is formatted in JSON, a standard file format for Elasticsearch databases, thereby favouring analysis. The format of the database suggests it was meticulously maintained and downloaded, rather than created by purely aggregating information from multiple data sources. The data is also in Chinese, and the sheer volume, the format, detailed police reports dating back to 1995 through to 2019, etc, depicts that the data is factual and not fabricated for the sake of it. The population of China is about 1.4 bn people. The fact that this data represents about 1 bn unique records,
It has by far been one of the most expansive and impactful breaches of personal data of all time, on China. And this has happened at a time, while in the recent past (in September 2021), passed the Personal Information Protection Law (This new enactment is the China’s equivalent of Europe’s GDPR privacy rules), its first comprehensive privacy and data protection legislation, laying out ground rules on how personal data should be collected, used and stored. The law restricts how businesses can collect personal data and is expected to have a sweeping effect on the ad businesses of the country’s biggest tech giants, but allows broad exceptions for government agencies and departments that make up China’s vast surveillance capabilities. But experts have raised concerns that while the law can regulate technology companies, it could be challenging to enforce when applied to the Chinese state.
Lesson for India
India cannot absolve itself from the, prominence of threat to its Cyber Space. There are many databases, especially those that are aggregated and maintained by government agencies with poor and vulnerable configuration and access control. Many of these are also hosted on public cloud like Amazon, Azure, Google, etc; hence making it more vulnerable due to weak configuration of the subscribing clients. Unsecured personal data held by both government and non-government agencies — exposed through leaks, breaches, or some form of incompetence — is an increasingly common problem faced in India, and cybersecurity experts say it is not unusual to find databases that are left open to public access. The need for revision to the IT Act and also the enactment of “Data Storage’ and “Data Privacy” is now long awaited and the need of the hour. The need for amalgamation of the different agencies who claim stake in the nations Cyber Security, is also a matter that need to be addressed immediately.