One Billion Chinese citizens Data Leaked

Table of Contents

A massive online database containing the personal information of up to 1 billion Chinese citizens was left unsecured and publicly accessible for more than a year — until an anonymous user in a hacker forum offered to sell the data and brought it to wider attention.
The anonymous internet user, identified as “ChinaDan“, posted on hacker forum Breach Forums offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000.
According to the cybersecurity experts, the leak could be one of the biggest ever recorded in history.
They highlighted the risks of collecting and storing vast amounts of sensitive personal data online — especially in a country where authorities have broad and unchecked access to such data.
The data purportedly includes information from the Shanghai National Police database.

A sample of 7,50,000 data entries from the three main indexes of the database was included in the seller’s post.
The seller also claimed the unsecured database had been hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba. But, Alibaba has declined the comment.
The data leak initially sparked discussion on Chinese social media platforms such as Weibo
One person said they were skeptical until they managed to verify some of the personal data leaked online by attempting to search for people on Alipay using their personal information.
Kendra Schaefer, a partner for technology at policy research firm Trivium China, said in a tweet that it’s “hard to parse truth from the rumor mill, but can confirm file exists.”
Such data leaks are fairly common, according to Michael Gazeley, managing director at Hong Kong-based security firm Network Box.
“There are approximately 12 billion compromised accounts posted on the Dark Web right now. That’s more than the total number of people in the world,” he said, adding that a majority of data leaks often come from the US.
Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said that the breach is “potentially incredibly embarrassing to the Chinese government,” and the political harm would probably outweigh damage to the people whose data was leaked.
“The information, once it’s unleashed, is forever out there,” Wisniewski said. “So if someone believes their information was part of this attack, they have to assume it’s forever available to anyone and they should be taking precautions to protect themselves.”
A major cryptocurrency exchange said it had stepped up verification procedures to guard against fraud attempts such as using personal information from the reported hack to take over people’s accounts.

“As it stands today, I believe this would be the largest leak of public information yet — certainly in terms of the breadth of the impact in China, we’re talking about most of the population here,” said Troy Hunt, a Microsoft regional director based in Australia.

DATA BREACH CASES ALL AROUND THE WORLD

Adult video streaming website CAM4 has had its Elastic search server breached exposing over 10 billion records.

The breached records included the following sensitive information:

Full names
Email addresses
Email correspondence transcripts
Password hashes
IP addresses
Payment logs..etc.

Due to the licentious connection of the breached database, compromised users could fall victim to blackmail and defamation attempts for many years to come.

2) Yahoo data breach 2017

In October of 2017, Yahoo estimated that over 3 billion user accounts’ data has been compromised by a group of hackers.
An investigation revealed that users’ passwords in clear text, payment card data and bank information were not stolen but some accounts were subject to identity theft since 2013

3) Aadhaar data breach

In March of 2018, it became public that the personal information of more than a billion Indian citizens stored in the world’s largest biometric database could be bought online.
This massive data breach was the result of a data leak on a system run by a state-owned utility company.
This impacted over 1 billion people
The breach allowed access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details.

4) First American Financial Corp. data breach

In May 2019, First American Financial Corporation reportedly leaked 885 million users’ sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.

5) LinkedIn data breach 2021

Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.
The data was dumped in two waves, initially exposing 500 million users, and then a second dump where the hacker “God User” boasted that they were selling a database of 700 million LinkedIn.

The hackers published a sample containing 1 million records to confirm the legitimacy of the breach.
The hacker scraped the data by exploiting LinkedIn’s API.
LinkedIn claims that, because personal information was not compromised, this event was not a ‘data breach but, rather, just a violation of their terms of service through prohibited data scraping.

DIFFERENCE BETWEEN DATA BREACH AND DATA LEAK

What is a Data Leak?

A data leak is an overlooked exposure of sensitive data either electronically or physically. Data leaks could occur on the internal or via physical devices such as external hard drives or laptops.

Data Breach

A data breach is the outcome of a planned cyber attack, but a data leak is the accidental exposure of sensitive data by a business.
Cybercriminals do not create data leaks, they discover them and then use them to launch data breach attacks.
Without a sophisticated data protection solution, any businesses will remain vulnerable to data breaches through their third-party network.

Data Protection in India

INTRODUCTION

Data protection is the process of safeguarding important information from corruption, compromise or loss.
Datais the large collection of information that is stored in a computer or on a network.

WHY DATA PROTECTION LAWS ARE NEEDED ?

According to the Internet and Mobile Association of India (IAMAI)’s Digital in India report 2019, there are about 504 million active web users and India’s online market is second only to China.
Large collection of information about individuals and their online habits has become an importantsource of profits.
It is also a potential avenue for invasion of privacybecause it can reveal extremely personal aspects.
Companies, governments, and political parties find itvaluable because they can use it to find the most convincing ways to advertise to you online.

Laws for Data Protection across the Globe

EUROPEAN UNION

As per the statistics from the United Nations (UN), 128 out of 194 countries have legislation to ensure data protection.
European Union’s privacy regulations are called the General Data Protection Regulation.
GDPR came into force in 2018 and has since inspired similar laws worldwide, including in Thailand, Brazil, the UK, and South Korea.
GDPR deals with the data subject’s rights, duties of data controllers, supervisory authorities, remedies, liabilities and penalties, transfer of personal data to third parties etc.
Because of these stringent GDPR, WhatsApp’s policy changes were not applicable in the European Union.

Iceland

Iceland has often been referred to as ‘Switzerland of data’. The Nordic Island country’s Data Protection Act of 2000 deals with ‘unambiguous and informed consent’ for harvesting individual data.

It has sectoral laws to deal with matters of digital privacysuch as the US Privacy Act, 1974, Gramm-Leach-Bliley Act etc.

China

China’s first draft of the Personal Information Protection Law was made available for public comment recently.
The draft brings together existing privacy laws under one umbrella.
Further, it adds to the protection of personal data in China, with provisions for steep fines, extraterritorial applicability, deployment of data protection officers etc.

Initiatives in India

Information Technology Act, 2000

It provides forsafeguard against certain breaches in relation to data from computer systems. It contains provisions to prevent the unauthorized use of computers, computer systems and data stored therein.

Personal Data Protection Bill 2019

The Supreme Court maintained the right to privacy as a fundamental right in the landmark decision of K.S. Puttaswamy v. Union of India 2017after which the Union government had appointed Justice B.N. Srikrishna Committee for proposing skeletal legislation in the discipline of data protection.
The Committee came up with its report and draft legislation in the form of the Personal Data Protection Bill, 2018.
In 2019, Parliament again revised the Bill and much deviation from the 2018 Bill was evident. The new Bill was named as Personal Data Protection Bill, 2019.
The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual.

“India desperately needs a strong data protection policy. Particularly the one which protects individuals’ data from all actors–public or private. It will need to ensure that such a policy is implemented with a clear goal of safeguarding the rights of citizen. It is also important to educate people about the value of their data,” says Aparna Ashok, AI Ethics researcher and founder of EthicsSprint.