Largest Data Breach

Largest Data Breach in History? Maybe in Total Number of People Affected (if True): Cybersecurity Trends

24 terabytes (TB) of data for information on 1 billion Chinese for 10 Bitcoin, worth about $204,280? That could be the largest data breach in history (if it’s true, that is).

According to HotHardware (Hacker Claims Theft Of 1 Billion Police Records In China’s Largest Data Breach Ever, written by Nathan Wasson), late last week, a Breach Forums user by the name of “ChinaDan” posted to the website claiming to possess a recently leaked copy of the Shanghai National Police database. According to the post, the database contains the personal information of 1 billion Chinese nationals, along with several billion case records. The personal information includes the following:

  • Name
  • Address
  • Birthplace
  • Age/birthday
  • Sex
  • Height
  • National ID number
  • Phone number
  • All criminal activity and cast details

ChinaDan listed the entire database for sale at a price of 10 Bitcoin, which amounted to $204,280 late yesterday afternoon (who knows what it’s worth now – it’s Bitcoin!). 😉

The post started what has quickly become the website’s most viewed thread, with over 680,000 views, leading the moderators to lock the thread, citing spam. While the thread was still active, some Breach Forums users have questioned the authenticity of the data, asking why such a valuable trove of data is listed for a relatively low price. Nonetheless, at least some of the data appears to be real.

The forum post includes a download link for a significant chunk of sample data, and Karen Hao, a reporter for the Wall Street Journal, tried calling some of the numbers listed in the sample data. She was able to talk to nine different people who confirmed the exact information listed in the data set. Five of the people verified all of the case details listed with their name — information that would be difficult to obtain from any source other than the police. The other four confirmed basic information like their names before hanging up.

One man, upon hearing why we had his information, sighed in resignation: “We are all running naked,” he said, using popular Chinese slang for a lack of privacy.

Changpeng Zhao, CEO of Binance, also stated on Twitter that his company’s threat intelligence has detected 1 billion resident records for sale online and speculated that the data leak was likely the result of a bug in an Elastic Search deployment used by a government agency. The CEO announced that Binance has stepped up its user verification process for potential victims of the data leak and urged all other platforms to enhance their security measures as well.

UnitedLex

A day later, Zhao followed up with a tweet saying that a government developer wrote a blog post on the Chinese Software Developer Network (CSDN) that exposed his login credentials for a government database. The blog post includes multiple lengthy code snippets, and the developer studiously removed his login credentials and the server URL from the snippets, excepting one instance, where the information remains available for public viewing. The blog post dates back to August 2020, meaning the login information has been exposed for almost two years now.

Given that, it’s not a big surprise that potentially the largest data breach in history occurred (at least for China)! The only question is why did it take so long? Who hasn’t had their data exposed at this point?

So, what do you think? Do you think this is the largest data breach in history? Are we all “running naked” data-wise? Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © New Line Cinema

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply