More information has emerged about the recent Shanghai police data breach which could affect 70% of the Chinese population.
In addition to the underlying vulnerabilities that led to the alleged breach, new sources indicate that the data may have been publicly available for more than a year.
The apparent data breach was initially unconfirmed, with widespread media coverage only beginning after a hacker posted an offer of 1 billion leaked Chinese citizen records in exchange for 10 Bitcoin. (BTC).
While the Chinese government has been silent on the matter, many journalists and cybersecurity experts have taken it upon themselves to investigate and substantiate the hacker’s claims.
Multiple sources, including the ABC and CNN, have confirmed that a number of publicly exposed recordings are factual, revealing both personally identifiable information (PII) as well as details of specific cases ranging from minor theft incidents to domestic violence.
The Australian Federal Police also investigated 100 leaked files involving Australian citizens, including a case involving a former MP who phoned police in Shanghai after a car theft in 2004.
Further investigation suggests that the current sample dataset covers 20 years between 1995 and 2019.
How did the break happen?
LeakIX, a reputable platform that investigates security misconfigurations in large systems, suggests the breach stems from a misconfigured instance of Kibana.
Kibana is a service linked to Elasticsearch databases that the Shanghai police used to manage and administer data.
According to current Alibaba documentation for Kibana, the service is not only exposed to public networks by default, but some legacy version of the service, which the Shanghai police appear to be using, does not include authentication features in its basic product.
This indicates that the deployment lacked proper passwords and access control measures, ultimately leaving the impacted database open to the public.
LeakIX notes that these glaring security oversights were in effect as of April 2021.
Given China’s reputation for mass surveillance and data hoarding, cybersecurity experts speculated that a breach of this nature was inevitable.
However, there is still a lot of disbelief and disappointment in the cybersecurity community regarding the volume and sensitivity of data involved.