A trove of personal data from residents in eastern China’s Jiangsu Province was found on an unsecured server by security researchers, reports Bleeping Computer, the latest in a series of major security lapses in the country.
Why it matters: The server, which has subsequently been taken offline, included two databases. One contained nearly 60 million personal records such as ID numbers, locations, names, genders, and birthdates, among others. It was owned by provincial police and was not password protected.
- In addition to residents’ data, the server also contained a database with 30 million business records.
Details: Sanyam Jain, researcher at cybersecurity non-profit GDI Foundation, found the open server on July 1 and reported it to the police and China’s National Computer Network Emergency Response Technical Team (CNCERT), a cybersecurity center affiliated with the government. By July 8 it was no longer accessible.
- The two databases contained more than 26 GB of information with a graphical interface that allowed the data to be easily browsed and analyzed.
- The misconfigured server gave anyone who accessed it admin privileges, allowing them to browse, add, or delete data.
Context: Earlier this year, CNCERT said that it had found nearly 500 open databases online and that it was working with authorities to secure them. Jian’s disclosure is the latest in a slew that draws attention to significant cybersecurity lapses in China.
- In March, fellow GDI Foundation researcher Victor Gevers found open databases containing 364 million social media records. The data had been siphoned off internet cafe users in China.
- Data was gathered from popular messaging platforms WeChat and QQ, as well as e-commerce giant Taobao’s merchant-customer communications system Wangwang.
- Two months prior, Gevers found another database containing information from 2.5 million people. The data included IDs and locations.