Businesses in China should brace themselves for a potential spike in smishing attacks and identity theft, following reports that the personal data of 1 billion residents in the country has been put up for sale online. If legitimate, the massive data breach can result in phone swapping or other identity fraud activities, which can impact a Chinese user's social credit scoring.
Hackers claiming to have access to databases containing the data had offered the information for sale on an online forum, which specialised in the trading of stolen databases. Priced at 10 Bitcoins ($197,376) for 24TB worth of data, the personal details included date and place of birth, national identification number, residential address, and mobile number.
The hackers claimed the data came from the Shanghai National Police and offered a sample dump. A report from Wall Street Journal said the details of at least nine residents from this sample were confirmed to be legitimate.
According to data security vendor Acronis, the data sample contained three categories of information comprising the resident's personal data file, phone location data or address and phone number, and police incident or criminal case registry. For the latter, information such as location of the crime and brief incident description appeared to be leaked, Acronis' co-founder and technology president Stas Protassov told ZDNet.
Most of the criminal case information involved minor incidents and descriptions of the scene, including "a fight" at a specific location in Zhujing Town and minor road incidents.
Protassov noted that these police records referred to people involved in the incidents, which could be damaging to them. He added that the compromised data could be used to personalise future attacks, such as spear phishing, or to commit fraud using the identity of the victims.
He urged organisations and individuals to be on the lookout for fraudulent activities and malicious email or text messages.
Asked if the data breach could have greater impact in China, where the use of some services required registration based on personal information, Protassov said it was unlikely the compromised data on its own could result in hackers taking over such services. However, he warned that it could lead to phone swapping or other identity theft activities that could negatively impact a Chinese user's scoring on social media platforms.
Operators of apps that provide news, instant messaging, and other related services in China must require their users to register based on their mobile and identification card numbers. Users who refuse to do so or who use fraudulent identification data cannot be permitted to use the app.
China operates a social credit system that aims to track and assess the trustworthiness of a person, company, and government agency. Each is tagged with a social credit score that is evaluated against various data sources, such as financial, government, and criminal records. The system is undergoing further refinement by the government.
As the data leak potentially included sensitive personal information, Check Point Software Technologies' threat intelligence group manager Sergey Shykevich noted that it could have a big impact on authentication for various government-related services in China.
In particular, it could potentially affect services that required personal information as part of the authentication process or as an additional security factor for identity verification, Shykevich told ZDNet.
Protassov added that while news of data leaks were common, this breach was unique due to its volume.
Shykevich said the significant size of the compromised data indicated a high likelihood cybercriminals might use the information to launch phishing and spear-phishing attacks.
With the leaked data encompassing mobile numbers, Shykevich said businesses in China should be prepared for a potential wave of smishing or SMS phishing attacks.
He added that the online forum touting the sale of the data also peddled other databases from China, including a courier database with 66 million user records that were allegedly stolen from ShunFeng Express in 2020, and data from driving schools in the country.
He recommended that organisations implemented security measures against phishing and smishing attacks, pointing to the need for anti-phishing protection on both PCs and mobile devices. Employees also should be aware their personal data could be used as part of phishing attempts and to exercise caution, he said.
A tweet from Binance CEO Changpeng Zhao suggested the latest data breach was the result of a government employee posting a tech blog on Chinese Software Developer Network that accidentally included user credentials.
Without access to the log files, Protassov said it was impossible to confirm the attack vector. Based on the ID format, he surmised it was likely an Elasticsearch dump, but it was unclear whether the breach was due to leaked credentials or poorly configured systems.
"Such data leaks most commonly happen when someone leaves unauthenticated Elastic instance available on the internet," he added.