A recent post on a popular hacker forum has claimed a massive infiltration against a Shanghai police database, which, if confirmed, indicates one of the largest data breaches in China's history.

The alleged data leak is said to contain the personal records of 1 billion Chinese citizens, a claim that the purported hacker, going by the handle 'ChinaDan', has substantiated via a publicly shared sample dataset of sensitive personal records.

Among the data exposed thus far, information including the names, addresses, national identification numbers, mobile phone numbers and individual case details are already available for download.

Some of the data even links to victims whose ages are listed as young as one year old, meaning the pool of leaked information extends to minors.

At the time of writing, the hacker is yet to disclose a buyer for the full dataset. ChinaDan has listed an open trade offer on nearly 24 terabytes worth of data in exchange for 10 Bitcoin (BTC), which after conversion is just shy of $300,000.

Much of the details surrounding this incident are currently left to speculation, and while the source of the data leak is yet to be confirmed, ChinaDan cites that the stolen information originates from the aforementioned Shanghai National Police (MPS - Shanghai) database.

Breaking the law

If true, this could indicate a major legislative liability upon MPS under China's Personal Information Protection Law (PIPL).

PIPL was enacted as recently as last year, and outlines a myriad of responsibilities for government bodies when it comes to handling and protecting citizen records.

Many cyber security experts suggest that this incident may be the first major public breach against a government body under the new legislation.

Neither the MPS nor the Shanghai government have responded to recent requests for a comment on the alleged data leak, leading some journalists to take matters into their own hands.

"I downloaded the sample the hacker provided and called dozens of people listed," states reputable reporter, Karen Hao of The Wall Street Journal.

"Nine picked up and confirmed exactly what the data said."

Others are voicing concerns that discussion and coverage of the incident is being censored within Chinese platforms.

Social media app, WeChat, has been accused of removing posts that cover the alleged data breach, and popular microblogging website, Weibo, has been criticised for reportedly blocking hashtags like "data leak" and "Shanghai national security data breach" following widespread discourse on their platform.

This apparent censorship has been further evidenced by reports of forcefully deleted content, including a viral post by a Weibo user with 27,000 followers which was removed from the platform as of Tuesday.

But how?

Due to the finer details currently being somewhat obscure and undetermined, it is difficult to discern exactly how such a breach may have occurred.

Changpeng Zhao (the CEO of the popular cryptocurrency exchange platform, Binance) has shared an image suggesting that a government developer accidentally displayed sensitive access credentials as a part of a tech blog contribution on CSDN.

In an earlier tweet, Zhao had estimated that the alleged breach is "Likely due to a bug in an Elasticsearch deployment by a gov agency".

For context, Elasticsearch (ES) is an open-source search and analytics engine that forgoes traditional SQL database structures. The ES solution is lauded for its innovations in data volume and speed, however, it has also been at the centre of many high-profile data breaches.

Organisations that have experienced ES-related data leaks include Microsoft, who had 250 million records exposed in 2020, and Avon, who leaked 19 million records less than six months later.

Zhao goes on to forewarn other platforms that they should bolster their security in relation to ES.

"It is important for all platforms to enhance their security measures in this area. Binance

has already stepped up verifications for users potentially affected."

If the data breach is substantiated, it would indicate the fourth largest data breach of all time.

And should further information confirm that MPS databases are the source of the leaked data, this incident would be the second-largest breach within public sectors, trailing just behind the Aadhaar data breach of 2018 that impacted 1.1 billion Indian citizens.

As it stands, ChinaDan's purported data breach is on track to become a historic cyber security event, with the potential to significantly impact the lives of an alleged one billion victims.