Here are four big questions about the massive Shanghai police leak

Placeholder while loading article actions

Hello and happy Wednesday! Be sure to tune in tomorrow when our esteemed colleague Joe Menn leads the newsletter – you won’t want to miss it.

Below: Chairman of the Federal Trade Commission Lina Khan is under pressure to investigate reports that US users’ data on TikTok has been repeatedly accessed in China, and Marriott acknowledges that one of its computers was hacked.

We are still learning the details of the Chinese police leak. Here are some key questions.

A potentially massive leak of police data in China’s most populous city is raising concerns that sensitive information about a billion Chinese citizens – yes, a billion – could be exposed.

The data includes personal information such as phone numbers and birthdays. But, perhaps most disturbingly, it includes reports on crimes like domestic violence and contains data from 1995 to 2019, the Wall Street Journal reported.

Billions of records could catapult the leak as one of the largest on record. But much is still unknown about the incident, which raises more questions than answers. Here are four of the biggest questions about the leak:

The leak has sketchy origins, with a pseudonymous user first announcing the data on a hacker forum on Thursday. They released what they called a “sample” amounting to several hundred thousand records from the database.

So far, it looks like at least some of this data is verified. The Wall Street Journal and The New York Times separately called people whose data was included in the leak. Nine people the two outlets called confirmed that the details about them in the leak were accurate.

Here’s More From a Wall Street Journal Reporter Karen Hao:

But Chinese authorities have not publicly commented on or confirmed the alleged leak. Shanghai police and China’s internet regulator did not respond to The Wall Street Journal’s request for comment.

Such “radio silence” is unusual following data breaches, but perhaps less unusual for Chinese police who do not communicate in the same way as Western companies, Trojan Huntthe founder of Have I Been Pwned, a website that lets people check if their data has been exposed in data breaches, said.

The leak comes as Chinese regulators examine the data security practices of Chinese tech companies which they say have collected extensive information about Chinese users. It also comes amid criticism that Chinese authorities are surveilling and amassing massive amounts of data on Chinese citizens as part of a campaign to track them and predict crime, The New York Times reported this month. last.

The data is offered for sale for 10 bitcoins (about $200,000). It’s unclear how many people have approached the seller, “ChinaDan”, to buy the huge trove of data.

It’s also unclear how widely the data was released before Thursday, and it’s unclear how many people already had access to the data.

The database was accessible online for months before it came into the limelight, security researchers said. CNNby Yong Xiong, Hannah Ritchie and Nectar Gan.

  • This could make the leak even more devastating. If it was indeed “on display for a long period of time, you should assume that other people found it,” Hunt told me.

3. Who was behind the leak?

The origins, provenance and sequence of events leading up to Thursday’s message are unclear. “ChinaDan” has not publicly commented on when they got the data, whether they plan to keep trying to sell it, and whether they sold it to anyone. They did not respond to a request for comment on those issues.

It’s also unclear whether they are acting on their own, part of a larger operation, or sponsored by a government or other donor.

The leak would amount to a massive mistake if it is legitimate and actually happened lie without guarantee for more than a year. It could also lead to real-world harm if particularly sensitive information, such as reports of sexual assault and abuse, were to leak.

  • Some of the data indicated whether the people included in the dataset had been identified as a “key person” by China’s Ministry of Public Security, The New York Times reported. This blacklist has included people with mental illness, people who use drugs and political troublemakers, the outlet previously reported. China does not notify people when they have been added to the list.

Although they did not acknowledge the leak, Chinese authorities apparently noticed it. They blocked popular hashtags such as “data leak”, “Shanghai national security database breach” and “one billion citizen records leaked” on Weibo, a social media-like network. Twitter, the Financial Timesreport by Ryan McMorrow and Gloria Li. One user said he was even asked to discuss a viral message about the leak with local authorities, McMorrow and Li report.

Intel Senate leaders urge FTC to investigate TikTok data security ‘deception’

Yesterday, leaders of the Senate Intelligence Committee called on the Chairman of the Federal Trade Commission Lina Khan to investigate reports that US user data on TikTok has been accessed repeatedly in China, a revelation that has reignited security concerns over the popular video-sharing app, notes my colleague Cristiano Lima of The Technology 202. US lawmakers have long worried about the possibility of Chinese government officials obtaining or capturing US user information through the app, owned by Beijing-based tech giant ByteDance.

Chair Mark R. Warner (D-Va.) and vice-president Marco Rubio (R-Fla.) urged the agency to probe the company “based on apparent deception by TikTok” regarding its practices. The senators wrote that recent reports “suggest that TikTok has also misrepresented its corporate governance practices, including with congressional committees like ours.” The FTC declined to comment.

“For two years, we have spoken openly about our work to limit access to user data in all regions, and in our letter to senators last week, we were clear about our progress in limiting access. even further through our work with Oracle,” TikTok said. spokesperson Brooke Oberwetter. “As we’ve said many times, TikTok has never shared US user data with the Chinese government, nor would we if asked.”

Last week, a group of Republican senators denounced the recent revelations and demanded answers from the company in a separate letter. In response, TikTok confirmed to lawmakers that employees in China can access US user data after clearing security protocols, Bloomberg News reported. In a rare Sunday interview on CNN, TikTok’s public policy manager for the Americas Michael Beckerman said the company had “never shared any information with the Chinese government, and neither have we.”

US government unveils algorithms designed to resist quantum computers

The National Institute of Standards and Technology has announced the first four encryption algorithms it has chosen through a competition. It comes amid a race to find encryption algorithms that can withstand a generation of quantum computers expected in 15 to 20 years, this newsletter reported in April.

Quantum computers will have more firepower than current computers, allowing them to easily crack a current generation of encryption algorithms that keep communications such as emails secret as they move from place to place. the other. The new algorithms “build on mathematical problems that conventional and quantum computers are expected to struggle to solve, thereby defending privacy both now and in the future,” NIST said.

It’s not the end of the road, however. NIST still plans to announce four additional algorithms. It expects the algorithms to be included in a new post-quantum encryption standard that it will finalize in about two years, according to NIST. The industry also needs to adopt the standard, a process that could take years, this newsletter previously reported.

Hackers Briefly Hacked Marriott, Hotel Giant Claims

Hackers say they are ‘an international group that has been working for about five years’ and stole around 20 gigabytes of credit card, employee and guest information from a hotel employee near the airport Baltimore-Washington International, CyberScoopreports AJ Vicens. Marriott told another website,, that it would notify 300 to 400 people of the breach, as well as regulators.

Marriott “is aware of a threat actor who used social engineering to trick an associate of a single Marriott hotel into giving him access to the associate’s computer,” a spokesperson told CyberScoop. Their access “was only for a short period over one day. Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay for,” they said.

The breach comes as Marriott is involved in a class action following a breach disclosed by the company in 2018. The breach included more than 130 million records, and US officials blamed it on China.

DoD issues call for hackers to dig into networks (The Record)

War in Ukraine could provide cyber warfare playbook for Chinese generals eyeing Taiwan (CyberScoop)

Georgia grand jury subpoenas Sen. Graham, Giuliani and Trump’s legal team (Matthew Brown)

  • Collar. Candice E. Frostthe commander of the US Cyber ​​Command’s Joint Intelligence Operations Center, speaks at a NightDragon event Thursday at 4:30 p.m.
  • UK Minister of State for Media, Data and Digital Infrastructure Julia Lopez discusses new data protection rules in the UK at an Atlantic Council event on Tuesday at 9am

Thanks for reading. Until tomorrow.

Comments are closed.