In a significant cybersecurity incident that erupted in the summer of 2022, a data breach involving the Shanghai National Police database took the world by storm, particularly within cybercrime and cybersecurity research circles. The breach was made available for sale on the English-language forum BreachForums and raised eyebrows for two main reasons: its massive scale and its unprecedented origin.
"The breach reportedly contained personally identifiable information on a staggering billion Chinese residents, including names, addresses, phone numbers, national ID numbers, and even some criminal record data," said Zoe Neale from SpyCloud Labs.
"The breach reportedly contained personally identifiable information on a staggering billion Chinese residents, including names, addresses, phone numbers, national ID numbers, and even some criminal record data,"
The dataset, presented by a seller identified as 'ChinaDan,' quickly caught the attention of experts due to the sensitive nature of the exposed information. Initially, the dataset was offered for an exclusive price of 10 Bitcoin, further underscoring the serious implications this breach held.
By the Numbers
By the Numbers
By the Numbers
In February 2025, SpyCloud’s team managed to secure a re-circulated copy of the dataset tied to that 2022 incident, revealing insights into the depth of this data leak. "We obtained 960 million rows containing names and national ID numbers of Chinese citizens," said Aurora Johnson, also from SpyCloud. "This enormous dataset also comprises additional PII for a portion of those individuals."
"We obtained 960 million rows containing names and national ID numbers of Chinese citizens,"
By the Numbers
By the Numbers
The analysis of these national ID numbers sheds light on how they serve multi-functional purposes beyond mere identification. Each individual's national ID number inherently contains various points of critical data, making them invaluable yet vulnerable in the wrong hands.
By the Numbers
"Governments typically assign these identification numbers centrally, and they serve as unique identifiers for their citizens," Johnson explained. "In a sense, they function as the ultimate JOIN values in data management across different systems."
"Governments typically assign these identification numbers centrally, and they serve as unique identifiers for their citizens,"
The allure of these numbers lies in their comprehensiveness. They are often used not just by government entities but also by third-party organizations. This practice is not limited to just China; for instance, in the United States, social security numbers (SSNs) are used broadly outside their original context. "If you’ve ever had a background check for a job or an apartment, chances are you had to provide your SSN, which can be tracked across various databases," Neale noted.
"If you’ve ever had a background check for a job or an apartment, chances are you had to provide your SSN, which can be tracked across various databases,"
As for China, the citizenship identification number (公民身份号码) exemplifies the intricate data embedded within. It is an 18-digit number structured to contain crucial information such as administrative division codes, birthdates, sequence codes, and a checksum.
To break it down, the first six digits of this ID number correspond to the geographical location where it was assigned, representing the individual's birthplace. The following eight digits denote the individual’s birthdate in a YYYY-MM-DD format, while the next three comprise a sequence code that identifies gender and ensures uniqueness among individuals with identical birthdates. The last digit functions as a checksum, ensuring data integrity.
"What’s alarming is that these identification numbers are extensively collected by various Chinese digital platforms due to the country's stringent 'real-name system'. Under this system, the government mandates identification for the majority of online services," Neale remarked.
This extensive compilation of data from a breach of this magnitude could have far-reaching ramifications, not only for those individuals directly affected but also for wider cybersecurity practices. The sheer volume of sensitive information magnifies the challenges for cybersecurity professionals and law enforcement agencies.
As experts continue to scrutinize the dataset, the implications for personal privacy and data security remain profound. Each chip in the criminal underbelly of this dataset serves as a reminder of the vulnerabilities present in our digital systems. The exposure of such detailed information raises the stakes for identifying and mitigating risks associated with digital identification processes.
Looking ahead, the industry must brace itself for the potential fallout from this substantial breach. Cybersecurity experts are urged to develop stronger safeguards and to educate users on the significance of protecting their personal data. The lessons learned from the Shanghai National Police database breach will likely echo within cyber risk management discussions worldwide for years to come.
