Data thieves stole the personal information of nearly 5 million people from an unconfirmed number of Chinese online ticket reservation platforms, according to Beijing police, who arrested a suspect in the case.
According to media reports, China Railway’s (CR) official online booking platform 12306 suffered a massive data breach, with information later being sold on the dark web. Compromised data reportedly included names, ID numbers, and passwords.
CR later denied the claims in a Weibo post, saying no users’ information was hacked. However, it warned passengers to avoid booking their tickets on unauthorized third-party platforms.
12306 is one of the world’s busiest websites during the first few months of the year, as millions of people buy tickets ahead of returning home to reunite with their families in celebration of the Spring Festival holiday. CR estimates more than 400 million passengers will travel on its trains over a 40-day peak period between January and March this year.
Police and the capital’s cybersecurity watchdog said an investigation led to the arrest of a 25-year-old suspect who works for an internet company in the city’s Xicheng District. According to police, the suspect purchased the details of 600,000 user accounts on the dark web, using them to gain access to more data held by third-party ticketing platforms.
Since a single user account can contain data from multiple passengers, police said the suspect was able to access the personal details of an additional 4.1 million people, for a total of 4.7 million travelers.
China’s official train ticketing service has been subject to rumors of data leaks in the past. In June 2018, the platform was accused of having 30 million pieces of information hacked and sold for 10 bitcoin, worth roughly $65,000 at the time. Officials immediately denied the claims. The reported leaks have led to users complaining about the ticketing service on social media.