A prominent Chinese tech CEO has suggested human error as the likely reason hackers got hold of the personal data of 1b people in China from a Shanghai police database & then put some of it up for sale on illegal online markets.
The developer seems to have divulged credentials to a police database on a popular developer forum, leading to a breach & later attempt to sell 23Tb of personal data on the dark web.
Developer Networks
A govt. developer wrote a blog post on the China Software Developer Network (CSDN) that accidentally included the credentials to the system where the data was stored, Zhao Changpeng, CEO of cryptocurrency exchange Binance, explained on Twitter on Mon. CSDN is one of the largest developer networks in China.
“Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN & accidentally included the credentials,” Changpeng, who goes on Twitter by the name “CZ,” wrote in the tweet. His post included a screenshot of the code that was included in the blog post.
Culprit for the Leak
Previously, Changpeng had tweeted that his company’s threat intelligence team detected 1b Chinese resident records for sale on the dark web, citing the “likely” culprit for the leak “a bug in an Elastic Search deployment by a gov agency.” In response to the breach, Binance stepped up its user verification processes, he commented.
Indeed, numerous news outlets reported Tues. that an anonymous hacker or hacking group going by the username “ChinaDan” put up for sale last week 23Tb of stolen data—including names, addresses, birthplaces, national IDs, phone numbers & criminal case information of Chinese citizens—on Breach Forums, a popular cyber-criminal forum.
10 Bitcoin
The unknown players were asking for 10 bitcoin, or about $200k, for the data cache.
With multiple sources confirming that the data appears to be legitimate, the news caused interest across the security industry, with experts calling it the largest cyber-security breach in not just the country’s history, but perhaps ever.
“If ChinaDan is telling the truth, then this is one of the biggest data breaches in history, & it was caused by poor password management,” observed Josh Stahl, security operations centre analyst at Breach Quest, an Incident-Response security firm.
The upside is that the cause of the breach does not indicate “some new exploit or stealthy malware, but a simple oversight of credential management,” he noted.
Human Error
The breach again focuses on the most persistent security issue since the inception of computers & the internet—human error. Also, an annual report on data breaches by Verizon–the 2022 Data Breach Investigations Report (DBIR)—cited the “human element” as responsible for 82% of the breaches analysed by researchers, with 13% directly attributed to human error.
Since people overseeing sensitive data still cannot seem to be trusted to protect it, the incident once again demonstrates that companies need to take numerous steps beyond password-protecting systems that store data to ensure that it does not fall into the wrong hands, noted a security professional.
Catastrophic Failure
“This is the end result of a catastrophic failure to implement basic password management & secrets management,” Craig Lurey, CTO & co-founder at cyber-security software firm Keeper Security stated. “Secrets such as database credentials should never be hard-coded into source code, which is what caused the breach.”
He suggested that enterprise password managers enable organisations to establish strict, deliberate role-based access control (RBAC), along with privileged access to infrastructure, to protect sensitive data & secrets.
Layered Defence
Another security expert advised organisations to establish a ‘layered defence & behaviour detection’ model to prevent human error from causing potentially catastrophic data leaks.
“Organisations should establish processes to continuously identify, prioritize & remediate gaps in their security monitoring & threat coverage to detect anomalous activity,” Michael Mumcuoglu, CEO & Co-Founder at threat coverage optimisation firm CardinalOps, observed.
‘Flipping’ the Script
The incident also appears to flip the script on China, a country well known as one of the biggest perpetrators of cybercrime–state-sponsored & otherwise.
Typically China tends to be the actor behind cyber-criminal activity, not the victim of it—although it’s difficult to know how often Chinese citizens themselves are targeted cyber-crime due to lack of transparent reporting mechanisms in that country about such activity, experts outlined.
In a country with a govt. that notoriously collects massive amounts of data about its own citizens, while imposing tight restrictions on what data & internet resources they themselves can access & use, it is unsurprising that some of this data would eventually fall into criminals’ hands.
High-Profile
There already is precedence for high-profile data leaks that expose the personal data of Chinese citizens. In 2020, for example, sensitive data of around 2m members of the Communist Party of China (CPC) were leaked, including official records as well as info related to their activity in global organisations.
As yet, Shanghai authorities have not publicly responded to the latest data breach, neither are they responding to requests for comment, according to reports.