Hacker claims to have private data on over 1 billion citizens

A hacker claims to have conducted history’s biggest data heist, having obtained over 1 billion records on Chinese citizens, including IDs, addresses, and contact details. How has China used digitisation to track its citizens, what is the hacker claiming, and could this be China’s Achilles heel?

How has China used digitisation against its citizens?

It’s no secret that for the past decade, China has been accelerating its use of digital technologies to monitor and control its population. For example, using a social credit score allows the government to punish citizens deemed undesirable by restricting their ability to travel, reducing the number of loans they can get, and encouraging those nearby not to interact with them. Shockingly, the Chinese government has managed to convince tens of thousands of people to sign up as reporters who effectively snitch on neighbours, which undoubtedly boosts their own score through government work. 

The widespread use of cameras and surveillance equipment not only allows for the Chinese government to track individuals but also allows for AI systems to detect what citizens are doing and thus update their social credit score. For example, if the AI detects littering, it can subtract from the citizen’s score, and if it sees a citizen helping someone cross the street, it can add to the score. Of course, this also means that a citizen wearing an anti-government t-shirt or associating with someone that has a bad score will also see their social credit score penalised.

While these systems have been in place for several years, it was the COVID pandemic that presented the Chinese government with the prime opportunity to push digitisation and tracking beyond imagination. The requirement for citizens to use COVID monitoring apps that report the user’s GPS location and interactions in real-time effectively forced citizens to give up their remaining freedom to privacy. Additionally, using a traffic light system would alert users to self-isolate if they have been in close contact with someone infected with COVID, but this was quickly abused by government officials to force protesters to stay at home by adjusting their traffic lights status to red.

Hacker claims to have records of over 1 billion Chinese residents

Recently, an unknown hacker online has claimed to have conducted history’s most significant cyber heist with the acquisition of personal data of over 1 billion Chinese citizens. According to the claim, these records include names, addresses, birthplaces, national IDs, phone numbers, and police records, including crimes that they may have been involved with (or associated with). While the current claim is still yet to be authorised in its entirety, the Wall Street Journal has said to have verified some portion of the 23TB of data. 

The hacker is currently selling the entire database for just 10 bitcoins (roughly $200,000), which is a small amount of money considering that many other attacks ask for magnitudes of orders more. However, this small request could add legitimacy to the claim as this amount is easily affordable by almost all governments worldwide, businesses, and even other cybercriminals, but large enough for an individual to be well rewarded.

So, where did the hacker supposedly obtain such an extensive record? According to the hacker, the data came straight from a Shanghai police department, and it has been said that the attacker was able to achieve this incredible feat after software developers who work for the government left key credentials in a public blog. However, security experts believe that the attacker may have been able to use a third-party cloud infrastructure partner that works with the government (such as Alibaba).

Could digital technologies be China’s Achilles heel?

Whether the hack is real or not, it raises the question of whether the extreme degree of digitisation and surveillance that the Chinese government relies on so much could be its undoing. If there is one thing that governments are very good at doing, it’s being inefficient, and the Chinese government is no different.

Sure, billions have probably been invested in developing state-of-the-art AI technologies capable of correctly identifying individuals in a crowd and determining what they are doing, but at the same time, it would not be unsurprising if employees are using default passwords, ageing security software, use of depreciated systems, and devices that haven’t been updated.

Even if a government is using excellent security protocols, no system is infallible, and it only takes one hacker to get lucky. Having access to everyone’s credentials could see massive amounts of disruption in daily life through identity theft and targeted attacks. For example, a hacker could purchase a phone and use the credentials of someone else, then commit crimes that not only implicates the victim but could also affect their social credit score.

Furthermore, citizens of a nation will only tolerate government authority to a limit, and if such attacks become frequent and publicised, they may see citizens react violently. In fact, as China is heavily dependent on digital technologies, it could make it a prime target for cyberattacks from the west, and such attacks could be extremely personal (attacking individuals instead of infrastructure).

Overall, China trying to control its population through connected devices and the use of surveillance equipment could be its downfall, and if this hack is indeed authentic, it could spell trouble for the Chinese government.