Chinese PII Breach: It Hits Differently There

The recent Shanghai Police PII breach, disclosed publicly by ChinaDan, stands up to the claim that it was, according to early reports, the single largest theft of personal data to date; perhaps the biggest hack in history. While Chinese government entities were long overdue for a very public compromise, this leak demonstrated that both Chinese government and business entities are not immune to PII breaches. Take a look at the data: Recent open source research disclosed a few media reports of significant data theft that impacted a large Chinese hotel chain, a provincial public security department and a job recruiting service. When added up, they account for more than one hundred million Chinese nationals impacted, even before ChinaDan got into the mix.

In the West, business email compromises (BEC) and encryption-theft-extortion for ransom are big business. In China, that same business model does not appear to be as successful. As an example, a ransom note left by ChinaDan in this case apparently didn’t work: No one paid the extortion. By paying such a ransom, there is a chance ChinaDan would not have placed the information from the breach for sale publicly—but that was not guaranteed. Nonetheless, it is likely that Chinese government entities are inherently bad targets for extortion. Traditionally, threat actors focus on targets likely to cave to ransom and extortion demands and it is not clear the typical business model would result in similar financial returns in China.

Does Anyone Care?

In very general terms, the U.S. population is weary of government PII collection activities. In 2005, news reports exposed a program through which the NSA was intercepting Americans’ international phone and internet communications. Many Americans were alarmed by this activity, characterized as illegal warrantless searches, and the practice has been challenged in U.S. courts. In contrast, many Americans pay little attention to commercial entities who use and monetize their personal details, such as what occurs on social media platforms and email service providers. Case in point: Numerous U.S. government entities recently warned that a very popular video sharing platform represents a privacy problem; yet Americans still use it and share their information on it, even in the face of clear warnings of intrusive collections by a foreign entity.

Europeans are also concerned about their PII being collected and used. They have forced discussion of the issue for many years and seem to take a more holistic view of the issue. The EU limited commercial collections and movement of PII, with the general data protection regulation (GDPR) as a case in point. Additionally, they have also sought to limit government collection of PII. The European Court of Justice has consistently ruled that mass retention of phone/internet traffic and location data violates fundamental EU privacy rights.

In contrast, the Chinese population is subject to constant collection of their PII by the government, and many in the country assume (or at least consider) as a fact that the government intercepts their communications. The Chinese government is not at all transparent about what it collects nor what it does with the information harvested from its population. However, we can infer scope by observing the Chinese government’s actions against those it deems a threat. Those actions are often draconian in their application and indicate the government has significant collections to draw from, as the Shanghai police breach highlights. As such, China’s population has a lower expectation of privacy, so there is less likely to be a backlash, reputational risk or impact on corporate profits that many criminal extortionists rely on to monetize stolen or encrypted data.

How Will China Respond to the Shanghai Breach?

Will China use its vast offensive cybersecurity capability to target the entity responsible for the data leak? Currently, China has been quiet on the matter and is suppressing coverage in the media and on Chinese social media platforms. To understand what the Chinese government might do in response to the Shanghai police breach, it may be useful to consider what they have done in response to other threats.

While the Great Wall of China may or may not be visible from space, China’s Great Firewall is most definitely observable in cyberspace. Mounted upon its virtual crenelated walls is what some call the ‘Great Cannon, a capability used to conduct cyberattacks against entities beyond its borders. The Great Cannon was reportedly used in a March and April 2015 distributed denial-of-service (DDoS) attack against the anti-censorship organization GreatFire.org. It was also leveraged against two related GitHub pages used to host tools for circumventing the Great Firewall.

How does the Chinese government deal with cyberattacks when the effects are ephemeral? In 2022, the decentralized hacking collective known as Anonymous were actively attempting to breach Chinese government websites. Anonymous used those breaches to warn China not to attack Taiwan. That activity was reported by Taiwanese and international news organizations and shared on social media outside of China. In each instance, the sites were quickly taken down and news and information about the matter was suppressed in China. Predicting this, the hackers ensured the defacements were preserved by the Internet Archive” which is beyond the reach of Chinese government controls. Does China’s apparent lack of overt offense in response to Anonymous mean ChinaDan is going to get a pass?

Very Public Breach of PII

In contrast to Chinese reactions to date, the U.S. government, federal law enforcement and U.S. service providers have previously partnered internationally to counter cybercriminals. U.S. authorities and international partners have successfully pursued, indicted and taken down threat actor infrastructures.

It will be interesting to see what the Chinese authorities actually do in response to this rather large and very public breach of PII. Will China continue to bury the story and institute remedies behind the scenes? Or will they eventually use this event as an opportunity to borrow from the U.S. playbook and go after the thief using some law enforcement-themed nexus? Of all the possible reactions, ChinaDan should be most concerned about being a target of China’s vast offensive hacking capabilities.

Avatar photo

Daron Hartvigsen

Daron Hartvigsen, a managing director with StoneTurn, is a cyber threat response and pursuit expert having served both commercial and U.S. government information security domains. He brings more than 20 years of experience in U.S. intelligence, counterintelligence, and law enforcement, and has conducted incident response, cyber threat pursuit, law enforcement investigations, counterintelligence operations, intelligence analysis, and cyber threat degradation activities.

daron-hartvigsen has 1 posts and counting.See all posts by daron-hartvigsen