Further information has been revealed about the recent Shanghai police data breach that could impact 70 per cent of China's population.
In addition to the underlying vulnerabilities that led to the alleged breach, new sources indicate the data may have been publicly accessible for over a year.
The apparent data breach was initially unconfirmed, with widespread media coverage beginning only after a hacker posted an offering of one billion leaked Chinese citizen records in exchange for 10 Bitcoin (BTC).
While the Chinese government has remained silent on the issue, many journalists and cyber security experts have taken it into their own hands to investigate and substantiate the hacker’s claims.
Multiple sources, including the ABC and CNN, have confirmed a number of publicly exposed records are factual, revealing both personally identifiable information (PII) as well as specific case details ranging from incidents of petty theft through to domestic violence.
The Australian Federal Police has also investigated 100 leaked records pertaining to Australian citizens, with one case relating to a previous federal MP who phoned Shanghai police after a car-related theft in 2004.
Further investigation suggests that the current sample dataset spans 20 years between 1995 to 2019.
How did the breach happen?
LeakIX, a reputable platform that investigates security misconfigurations in large systems, suggests the breach originates from a misconfigured instance of Kibana.
Kibana is a service related to Elasticsearch databases that the Shanghai police used to manage and administrate data.
According to Alibaba's current documentation for Kibana, the service is not only exposed to public networks by default, but a certain legacy version of the service, which the Shanghai police appeared to be using, does not include authentication features in its base product.
This indicates that the deployment lacked appropriate password and access control measures, ultimately leaving the impacted database open to the public.
LeakIX notes that these blatant security oversights were in effect as early as April 2021.
Given China's reputation for mass surveillance and data hoarding, cyber security experts have speculated that a breach of this nature was unavoidable.
However, there is still substantial disbelief and disappointment in the cyber security community regarding the sheer volume and sensitivity of the data involved.