Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Shanghai allegedly at the centre of another data hack. Photo: Shutterstock

Shanghai health code system containing personal data of 48.5 million people allegedly hacked and touted for sale

  • The poster also released a sample of the database, which included names, phone numbers, ID numbers and the health code status of 47 citizens
  • Shanghai’s health code, or Suishenma, is a programme of QR code developed by the Shanghai Big Data Centre

A database allegedly containing the personal information of 48.5 million citizens based on Shanghai’s health code system has been put on sale online, according to a post on a hacker community website, just one month after a previous alleged data leak involving one billion Chinese residents.

In a post on the online hacker community Breach Forum on Wednesday, a poster – using the handle name XJP – asked for US$4,000 to hand over a database based on Shanghai’s health code system containing the personal information of 48.5 million unique users, who “live in, or have visited, Shanghai” since the adoption of the QR code system.

The poster also released a sample of the database, which included names, phone numbers, ID numbers and the health code status of 47 citizens. A citizen surnamed Feng, one of those whose data appeared on the list, confirmed the authenticity of his own information and told the Post that he is upset about it being posted online. He declined to give his full name due to the sensitivity of the matter.

When asked by another user in the post whether the alleged database is related to the huge alleged leak from the Shanghai public security database last month, the poster replied: “Not directly.”

Hong Kong authorities slam ‘inaccurate’ security audit of Covid risk-exposure app

Shanghai’s health code, or Suishenma, is a programme of QR code developed by the Shanghai Big Data Centre, an agency under the Shanghai Municipal Government, in early 2020, designed to help local authorities manage the Covid-19 outbreak. It classifies a citizen’s risk of spreading the virus by labelling them with three colours of the QR code – red, yellow and green. It has now become a necessary digital tool in the daily lives of Shanghai residents, as they need to present a green code before taking public transport or entering public venues.

A government official from Shanghai’s Big Data Centre said that the agency is only responsible for the development of the programme, and denied the data was leaked from the agency, Chinese newspaper Southern Metropolis Daily reported on Friday. Other government agencies in Shanghai have yet to confirm the leak.

The alleged leak, just a month after what could be the largest ever data leak in the country, has raised concerns about the security of private information in China, where the state has collected huge swathes of data from its citizens for social surveillance and governance purposes.

In late June, a poster from the same community, with the handle name of “ChinaDan”, touted for sale personal information from the city’s police database. It allegedly contained the information of 1 billion Chinese residents, including names, addresses, identification numbers and mobile phone numbers, according to the post which was later removed by forum administrators.

Qihoo 360 says US NSA is behind hacking group that has stolen Chinese data

While Shanghai police did not respond to requests for comment, executives at Alibaba’s cloud unit were summoned by authorities in Shanghai over the hacked data, which was stored on its servers, The Wall Street Journal reported at the time. Alibaba owns the Post.

Chinese netizens rushed to express their concerns over privacy on Friday, with the topic of “officials respond to web site allegedly selling Suishenma data” trending on microblogging platform Weibo. “As Covid-19 develops, almost everyone has applied for a health code. If this is real, the impact is almost unimaginable,” commented a Weibo user going by the name of “Wang Dachui”.

Chinese authorities have previously said the country is a consistent target of overseas hackers. Northwestern Polytechnical University, based in Xian and one of the country’s top schools for national defence research, said in a statement last month that it had been the target of a cyberattack from overseas.

But there have been several data leaks domestically amid a rampant underground market for personal information. In 2020 alone, China investigated 560,000 cases of cybercrime and arrested over 80,000 suspects, including 13,000 involved in personal information infringement and another 2,975 suspects involved in hacking, according to the Ministry of Public Security.