Last week, China recorded a data breach that experts are calling the largest cybersecurity breach in the country's history.
According to Bloomberg and several other media outlets, the online database stolen from the Shanghai police contains the personal information of about one billion people in China. It includes names, places of birth, addresses, ID and phone numbers and information about criminal cases. In total it is 23 terabytes of data. Attackers are selling the information for 10 bitcoins worth about $200,000.
According to CNN, the database had been publicly available for more than a year until an anonymous user in a hacker forum offered to sell the data and brought it to wider attention last week.
Shanghai authorities have yet to publicly respond to the incident. China's internet overseer, the Cyberspace Administration of China and the Shanghai Municipal Police also have not responded to media comments.
"A violent reaction was caused by censoring the hashtag 'data leak' and reposting this news on the Chinese Internet, but this is most likely due to the fact that the information is not verified,"
says Maria Belyaeva, an expert at the BRICS Competition Centre.
There have also been no official statements from the parties involved — such as Alibaba Cloud, which, according to the hacker, hosted the data — either. In China, the spreading of rumors, fakes and information that violates public order is strictly suppressed, so information platforms are not ready to take responsibility and are probably waiting for the emergence of confirmed data, the expert believes.
Chinese leader Xi Jinping has long positioned China as a leader in the digital economy and considers data the key for governing and driving the country of 1.4 billion. Beijing is investing in digital infrastructure, implementing new laws and building data centers.
"It is necessary to safeguard the country’s data security, protect personal information and business secrets, and promote the efficient circulation and use of data so as to empower the real economy",
Xi Jinping stressed at a meeting with the top government agency in less than two weeks ago, according to the official Xinhua News Agency.
"China has been active in strengthening cybersecurity: last year it passed a revised Personal Data Law that many have called the most stringent in the world, and ride-hailing service DiDi even had to withdraw from the New York Stock Exchange because of an inspection by China's Cyberspace Administration. But at the same time, the authorities' demand for identification of Internet users is growing: more and more often identity confirmation is required to create an account or post comments. Thus, more and more data is coming in and ensuring its proper protection is becoming more and more urgent",
Maria Belyaeva says.
It is not yet clear who will be declared responsible for such a large-scale data leak, but according to China's 2021 Personal Information Protection Law, government agencies that fail to fulfill their duties to protect confidential information could incur sanctions.
If the breach is found to be the fault of the private company that maintained the database, it is likely to be fined or targeted by market regulators.