Another round of data breach in China, this time involving Shanghai’s Covid app

• In the latest data breach episode, a hacker has claimed to have obtained the personal information of 48.5 million users of Shanghai’s health code, or Suishenma.
• The hacker posted an offer to sell the data for US$4,000 on a hacker forum, providing a sample of the data including the phone numbers, names and Chinese identification numbers and health code status of 47 people.

Just last month, there was an alleged leak from the Shanghai public security database, jeopardizing data of one billion Chinese residents. When the hacker came forward and made the data breach public, it was actually a rare occurrence, especially for a country that often keeps such matters under wraps. However, that may have also set the precedent for future cyber intrusions. In fact, just last week, another hacker came forward, this time offering to sell data obtained from Shanghai’s health code, known as Suishenma.

In a post on the online hacker community Breach Forum on last Wednesday, a poster – using the handle name XJP – asked for US$4,000 in exchange for database based on Shanghai’s health code system containing the personal information of 48.5 million unique users, who “live in, or have visited, Shanghai” since the adoption of the QR code system. XJP originally asked for US$4,850 before lowering the price later in the day.

XJP also released a sample of the database, which included names, phone numbers, ID numbers and the health code status of 47 citizens. Verifying matters, a citizen surnamed Feng, one of those whose data appeared on the list, confirmed the authenticity of his own information, according to the South China Morning Post. Separately, eleven of the 47 reached by Reuters confirmed that they were listed in the sample, though two said their identification numbers were wrong.

For context, Suishenma is the Chinese name for Shanghai’s health code system, catered for its 25 million people, like many across China. It was established in early 2020 to combat the spread of Covid-19 and all residents and visitors are required to use it.  Today, it’s almost a norm, a necessary digital tool in the daily lives of Shanghai residents, as a green code is required to be presented before taking public transport or entering public venues.

The app collects travel data and users will have to show the code to enter public venues. Besides the fact that the data is managed by the city government and users access Suishenma via the Alipay app, it is owned by fintech giant and Alibaba affiliate Ant Group, and Tencent Holdings’ WeChat app.

A Chinese newspaper Southern Metropolis Daily reported on Friday that government officials from Shanghai’s Big Data Center said that the agency is only responsible for the development of the programme, and denied the data was leaked from the agency. At the point of reporting, other government agencies in Shanghai have yet to confirm the leak.

Data breach — a commonplace in China now?

The latest alleged leak came just a month after what could be the largest ever data leak in the country. Data of one billion Chinese citizens were stolen from the Shanghai National Police (SHGA) network and were left out in the wild for more than a year. It wasn’t a known fact until an anonymous user revealed it in a hacker forum over a month ago. What was also made known was the fact that the 23 terabytes of data were hosted by Alibaba Cloud, the same cloud arm said to be hosting the local police network. 

Ever since that, Alibaba has been under scrutiny in China, a country where data is almost a top priority and negligence, let alone breach, when it comes to security is not acceptable. At this point, there are more concerns are being raised about the security of private information in China, since the state has collected huge swathes of data from its citizens for social surveillance and governance purposes.

Although the sprawling breach quickly made international news, government officials and state-run media—usually quick to denounce online rumors—kept mum. Meanwhile, many comments on the revelation have been scrubbed from Chinese social media. As Bloomberg puts it, “The country’s silence speaks volumes.” The only official reaction following the breach has been Chinese Premier Li Keqiang’s calls to bolster information security, to allow the public and businesses to “operate with a peace of mind.”

---

---

---

---