More than 100 Australians exposed in China's big data leak, including former federal lawmakers

The personal details of more than 100 Australian citizens – including former federal lawmakers – were among those exposed by hackers in a major leak of records stolen from Chinese police authorities.

Key points:

• Hacker tries to sell personal information for 10 bitcoins (about $300,000)
• Leaked police report sheds light on the treatment of Uyghurs and other minorities
• It is believed that this data set covers more than 20 years

Last week, a hacker claimed on an online forum that they had stolen 1 billion records, mostly belonging to Chinese nationals, in an ongoing effort to sell the information for 10 bitcoins, or nearly $300,000.

The report provides rare insight into how the authorities are cracking down on political dissent and persecuting minorities in China, including Uyghurs and Falun Gong practitioners.

The hacker posted three sample datasets online, totaling 750,000 individual records.

The ABC summoned the 20 people in China identified in the leak to confirm the authenticity of the police report.

Cybersecurity and other media experts have also verified some of the data from the 23 terabyte database.

However, the overall size of the file and the data breach has not been confirmed by Chinese authorities, who have remained tight-lipped.

In a Shanghai police file that had 250,000 entries, the ABC found the personal details of a former Australian federal lawmaker, who had called police to report the theft of car trunks in 2004.

The ABC has contacted the individual but has not received a response.

Dozens of Australians could also be identified in the dataset, along with their passport details, home addresses, birth dates and police reports.

More than half of Australia’s records relate to failing to register with local police within 24 hours of their arrival in China, a requirement of China’s Entry and Exit Act, which took effect in 2013.

This record lasted more than 20 years from 1995 to 2019.

China’s Cyberspace Administration, the Australian Department of Foreign Affairs and Trade, the Australian Federal Police and the Australian Cybersecurity Center have all been contacted for comment.

All mention of the leak is censored on popular Chinese social media platforms Weibo and WeChat.

On Weibo — the Chinese equivalent of Twitter — the Chinese keywords “Shanghai database” and “data breach” have been banned since last week, but posts questioning the authenticity of the database circumventing the keywords remain online.

‘There is data, so there is money’

Robert Potter – co-founder of cybersecurity firm Internet 2.0 – told the ABC he had assessed the data set and it appeared genuine because the records were like any other Chinese government data system he had evaluated in the past.

The hackers published three free datasets to the public — 750,000 records in total.(Reuters: Aly Song)

“Given the scale of the data set, it would be difficult to make large-scale changes,” Potter said.

He said the leaked information came from Alibaba’s cloud servers.

Since 2019, the Shanghai Public Security Bureau has kept its database on a cloud service provided by Alibaba.

ABC has contacted Alibaba for comment.

Mr Potter suggested Australians who found their name on the list should get a new passport.

Load

Monash University cybersecurity and cybercrime specialist Lennon Chang said the amount of data leaked by hackers was “unprecedented”.

“This is a very large database, including all personal information and criminal records that have been stored [by the police]said Dr Chang.

“On Twitter or other social media, people confirm the accuracy of the data, which really increases the value of the data.”

By posting multiple notes online, Dr Chang explained, hackers are showing accurate datasets to attract more potential buyers.

“He’s not just trying to sell to one person,” said Dr Chang, adding that a lot of people were looking for sample data and trying to play with it.

“There is data, so there is money.”

Police data reveals investigations of minority groups

Chinese officials have been silent since the leak of the Shanghai public security database.(AAP: Luke Coch)

The leaks reveal a series of police investigations into human rights activists and people from religious minorities, including Uyghur Muslims and Falun Gong practitioners.

China has reportedly detained more than a million people from Muslim ethnic groups, including Uyghurs and Kazakhs, in re-education facilities the state calls vocational training centres.

Falun Gong, a controversial spiritual movement, has been outlawed in China since 1999, and practitioners around the world claim their compatriots were imprisoned and silenced in the ensuing crackdown.

In one case, the ABC spoke to a woman in China identified in the leak, who confirmed that she had reported a Falun Gong practitioner to the local police.

Others were contacted by the police for political commentary, including “humiliating” national leaders and posting anti-Chinese Communist Party (CCP) comments on foreign websites.

Unverified reports in police files show two people were visited by Shanghai police for posting “inappropriate comments”, criticizing President Xi Jinping and the CCP on Twitter via a Virtual Private Network (VPN) in 2018 and 2019.

In one of the police reports, which the ABC has not been able to independently verify, a Uyghur police officer called the local police for help because a Shanghai hotel would not allow him to check in.

The report said it was because of his Uyghur background, which is often seen by Chinese authorities as linked to terrorism or a security threat.

In another incident, Shanghai police checked the hotel room where a Uighur guest was staying in 2018, and wrote in the report that the possibility of terrorism had been ruled out.

The data leak comes as Xi Jinping makes a historic third bid for president

While the identity of the hacker is still unknown, the incident again reveals the challenges facing China in terms of data vulnerabilities.

China passed a new Personal Information Protection Law last November, tightening rules around data collection, use and storage as Beijing intensifies its controls and data collection during the pandemic.

The data breach comes at a politically sensitive time.(Reuters)

Dr Chang said hacking, or leaking citizens’ personal information, would be unlawful.

“This is a good time to allow us to see if the data protection laws apply with the Chinese government,” he said.

Dr Chang said another possible intent of the data leak was to interfere with or influence Xi’s bid for a third term as party leader.

“What’s more interesting for me is the timing of this data leak,” said Dr Chang.

“[It is] time is important for the CCP to make sure everything is right, so that they can have a good transition.”

The Chinese Communist Party will hold its annual meeting in a few months, and it is widely expected that Xi’s term will be extended for a third term.

This is a pivotal moment for the country’s political stability as Xi’s opponents are expected to challenge his rule, although many of them have been held back due to his intensifying anti-corruption campaign.

#Australians #exposed #Chinas #big #data #leak #including #federal #lawmakers