One billion Chinese files were likely leaked by sloppiness, not hacking

THE global cybersecurity community was set alight this week by news that data on more than 1 billion people were leaked from a Shanghai police database. The implications could be wide-ranging, yet the most astounding aspect of this case may be the fact that it likely wasn’t a hack that caused it, but basic errors in digital hygiene.

The asking price for the database, which includes several billion case records, is just 10 bitcoin (US$202,000). This indicates the seller is someone who happened across the data and is being opportunistic rather than a professional hacker motivated by money. A sample of the data posted in an online forum, and viewed by Bloomberg Opinion, shows records of people across China with names, identification and mobile phone numbers, the original source of the data, and a reference to the first time the details were entered into the record. Chillingly, the database includes fields referring to express delivery and food-order details. This could imply that this data were compiled by police from multiple sources across the country, beyond what law enforcement typically gathers firsthand. Of course, there may be other explanations for such data, too.

Bloomberg Opinion was unable to independently verify the authenticity of the data, yet numerous posts in that same forum indicate that users have checked it and found it to be real. Shanghai authorities haven't publicly responded to the alleged data breach. Representatives for the city’s police and Cyberspace Administration of China, the country’s Internet overseer, did not respond to requests for comment by Bloomberg News.