Data leak: he claims to sell the privacy of two-thirds of Chinese

"ChinaDan" may have just marked the history of cybersecurity.

Nobody yet knows who is hiding behind this nickname, but this hacker has been selling on the Internet, since July 4, what he claims to be the personal data of a billion Chinese.

This hack would be the most serious computer security incident to affect personal information in China and one of the largest data leaks in history worldwide.

Criminal record, medical record and more

The only scandal of a similar magnitude dates back to 2013 when data linked to Yahoo's three billion accounts was compromised.

But at the time, cybercriminals got their hands on only the basics of personal data, such as name, email address and login credentials.

Nothing to do with the digital heist that just happened.

The data was allegedly stolen from a Shanghai police server and weighs more than 22 terabytes, or 22,000 gigabytes, which is roughly the storage capacity of more than 170 latest-generation iPhones.

“Given its size, this database surely contains more than just the names and identifiers of a billion Chinese people,” said Bastien Bobe, cybersecurity specialist for the American computer security company Lookout.

In its announcement published on a forum devoted to cybercrime, "ChinaDan" also specifies that apart from traditional information - names, telephone number, physical address - this database also contains the entire criminal record of individuals. .

And he sells this for the low price of 10 bitcoins (nearly $200,000).

"It's not much given the amount of data, but we can think that he hopes to sell it several times," said Bastien Bobe.

The potential buyer of this digital gold mine will also be able to consult the medical records of at least some of the victims of this data leak, was able to confirm the Wall Street Journal, which had access to a sample of the information stolen in order to verify the veracity of this digital heist. 

There is also probably much more than text in these files.

"There are surely also photos and scans of identity documents", notes Benoît Grunemwald, cybersecurity expert for ESET France.

In addition, "the Chinese police associate the recordings of the surveillance cameras with the file of all the individuals on file. There is also a mix between the judicial and police files in order to have a maximum of information which can be quickly used against a person if the authorities need to put pressure on them,” said Frans Imbert Vier, CEO of Ubcom, a consulting agency specializing in data protection.

Jackpot for any cybercriminal

Chinese databases therefore represent the guaranteed jackpot for any cybercriminal who can get their hands on them.

That's why "ChinaDan's" claims about the extent of its Ali Baba e-cave should be taken with a grain of salt.

He may be tempted to oversell the quality of his loot knowing that this type of database is highly sought after.

"In order to verify the validity of the assertions of "ChinaDan", it would be necessary to have access to a representative sample", assures Benoît Ferault, product manager for Quarkslab, a French company specialized in data protection.

The Wall Street Journal was able to confirm the veracity of the information with a dozen individuals appearing in this database.

"The information was so precise that a woman called asked if it came from her smartphone that she had just lost," says the American daily.

But that does not mean that there are indeed a billion Chinese - two thirds of the country's total population - in this file.

"It seems unlikely to me because, in theory, the data collected at the national level is centralized in Beijing and the police authorities of each city are supposed to have access only to files concerning the local or regional population", notes Frans Imbert Live.

For a city the size of Shanghai, this could easily involve several hundred million people, according to the various experts interviewed by France 24. once under their maiden name and then again as a married woman - the bar of one billion admissions can quickly be reached.

But even with "only" several hundred million Chinese on file, this database has enough to whet the appetite of a wide range of potential buyers.

“The first buyers will probably be groups specializing in financial crime, such as social security fraud,” assures Benoît Grunemwald.

There is everything in this database - personal information and scans of ID documents - to pull off the perfect identity theft and attempt to embezzle welfare benefits.

Any info on Chinese VIPs?

Pharmaceutical laboratories and insurance companies with dubious morality can also find their account.

Access to the complete medical file of registered citizens "can allow them to better target promotional campaigns for certain drugs or adjust the prices of their insurance contracts", believes Frans Imbert Vier.

A history of run-ins with the law or the police can also be very enticing for a blackmailer.

Especially since among the hundreds of millions of citizens listed, "there are surely VIPs - whether showbiz stars or wealthy businessmen - who are all potential targets for blackmail attempts", notes Gérôme Billois, cybersecurity expert from the consulting firm Wavestone.

In the lot of VIPs, there must also be local councilors and their families.

"It's potentially a gold mine for intelligence services around the world who can use it to complete their own file on Chinese politicians," notes Bastien Bobe, the Lookout expert.

If the CIA, for example, can find enough to put pressure on a senior official of the Chinese Communist Party, this data leak would then become a danger to Chinese national security.

But before getting there, "it would still be necessary to be sure of the quality of the information which is thus for sale", notes Gérôme Billois.

A serious breach in the Chinese social contract

This scandal is very bad publicity for the countries which thus set up huge databases gathering so much sensitive information on their population, believe the experts questioned.

"What has just happened in China can happen anywhere," said Bastien Bobe.

And it's a bad blow especially for China, which has made digital surveillance and the collection of personal data one of the pillars of its political system.

"We knew that they were very good at collecting data and creating large databases, we have confirmation that they are much less good at securing this information", sums up Frans Imbert Vier.

Indeed, the first elements on the attacker's modus operandi show that there were "very serious breaches of the security rules", notes Benoît Ferault.

One of the developers in charge of this database thus inadvertently left his identifiers lying around on a discussion forum for computer scientists in China.

It is also a serious breach in the social contract that binds the Chinese state to its population, which accepts significant limits on their individual freedom in exchange for a certain security.

Such a scandal could call this assumption into question….

"provided that the Chinese are made aware", specifies Frans Imbert Vier.

Beijing understood the danger well and, as of Tuesday morning, any mention of this attack was censored on social networks. 

The summary of the

France 24 week invites you to come back to the news that marked the week

I subscribe

Take international news everywhere with you!

Download the France 24 app

google-play-badge_EN