Businesses in China must brace themselves for a possible spike in smishing attacks and identity theft after reports that the personal data of 1 billion people in the country has been put up for sale online. If legitimate, the massive data breach could result in phone switching or other identity fraud activities, which could impact a Chinese user’s social credit score.
Hackers who claimed to have access to databases containing the data had put the information up for sale on an online forum that specialized in trading stolen databases. Priced at 10 Bitcoins ($197.376) for 24 TB of data, the personal data includes date and place of birth, national identification number, home address and mobile number.
The hackers claimed the data came from the Shanghai National Police and offered a sample dump. A Wall Street Journal report said the data from at least nine residents of this sample was legitimate.
According to data security provider Acronis, the data sample contained three categories of information, including the resident’s personal data file, the location information or the phone’s address and phone number, and the police incident or criminal record. For the latter, information such as the location of the crime and a brief description of the incident appeared to have been leaked, Acronis co-founder and technology president Stas Protassov told ZDNet.
Most of the information about the criminal case related to minor incidents and descriptions of the place, including “a fight” at a specific location in Zhujing Town and minor traffic incidents.
Protassov noted that this police data referred to people involved in the incidents, which could harm them. He added that the compromised data could be used to personalize future attacks, such as spear phishing, or to fraud the victims’ identities.
He urged organizations and individuals to be wary of fraudulent activity and malicious email or text messages.
Asked if the data breach could have a bigger impact in China, where use of some services required registration based on personal information, Protassov said it’s unlikely the compromised data in itself could lead hackers to take over such services. . However, he warned that doing so could lead to phone switching or other identity theft activities that could negatively impact a Chinese user’s score on social media platforms.
Operators of apps that provide news, instant messaging and other related services in China should require their users to register based on their mobile and identification card numbers. Users who refuse to do so or use fraudulent identification information will not be allowed to use the app.
China has a social credit system that aims to track and assess the trustworthiness of an individual, company and government agency. Each is tagged with a social credit score that is evaluated against various data sources, such as financial, government, and criminal records. The system is undergo further refinement by the government.
Protassov said that while news of data breaches was common, this breach was unique because of its volume.
According to Sergey Shykevich, manager of the threat intelligence group at Check Point Software Technologies, the significant size of the compromised data indicated that cybercriminals were very likely to use the information to conduct phishing and spear-phishing attacks.
With the leaked mobile number data, Shykevich said companies in China should be prepared for a potential wave of smishing attacks.
He added that the online forum touting the sale of the data also circulated other databases from China, including a courier database containing 66 million user records allegedly stolen from ShunFeng Express in 2020, and data from driving schools in the country.
A tweet from Binance CEO Changpeng Zhao suggested the latest data breach was the result of a government employee posting a technical blog on China’s Software Developer Network that accidentally included user data.