Before the Biggest Leak

Data Breaches in China 2018-2022

On 19 August 2016, an unknown phone number reached 18-year-old Xu Yuyu in Linyi, Shandong. With information such as her address and high school, the callers claimed to be from local education and finance offices. Following their orders, she transferred her tuition fee to activate a bursary account for her upcoming study at the Nanjing University of Posts and Telecommunications. It was too late when she learned it was a scam. Her dreams were shattered, and her family’s savings vanished. The same night, after reporting the incident to the local police, Xu Yuyu suffered a heart attack and passed away.

Xu Yuyu’s tragedy, circulated by Chinese media, triggered a public uproar that demanded justice for the young adult and her family. The Ministry of Public Security intervened, issued a top-level arrest warrant, and located the group of scammers in Fujian who purchased Xu Yuyu’s data online. They traced the transaction and identified the seller in Chengdu – a programmer whose job was to test website data security. In his spare time, he would harvest data from random sites for practice and sell them for extra cash. One database he cracked with malicious software was the enrolment system of exam candidates in Shandong. The leak of personal information, as stated by Linyi’s procuratorate, was the primary reason causing the scam and death of Xu Yuyu (个人信息遭到泄露是造成徐玉玉诈骗致死重要原因).

Despite the public attention that facilitated new laws protecting personal data, the case of Xu Yuyu – involving a leak of 600 thousands of examination candidates – could hardly make the list of data breaches in China in terms of scale (see chart). A recent well-known case was the leak of Shanghai Police data in 2022. According to cybersecurity scholar Vinny Troia, the loophole persisted for a year before the Chinese authorities shut it down. If that were true, it would mean that the names, addresses, birthplaces, national IDs, phone numbers, and criminal records of a billion Chinese citizens were exposed for over a year. This is a stark reminder of the potential consequences of data leaks. Given China’s rapid datafication, questions such as what personal data is being extracted, where the data centers are, and how the data moves online confront Chinese citizens who participate in the digital society daily. Surveillance capitalism – a term coined by psychologist Shoshana Zuboff to describe the monetization of personal data – is no less relevant to China’s autocratic regime. Safeguarding data security measures should be a top state agenda.

This is the backdrop against which one can examine the rise of China’s National Data Bureau. Shortly after its establishment last year, the bureau, in a collaborative effort with 16 state departments, proposed the notion of a “data element” (數據要素) and announced a three-year action plan.[1] The bureau’s mission is to encourage and supervise state and corporate actors on local levels to develop new data management practices for economic and social development. From the bureau’s WeChat account, one can see its updates of typical examples (典型案例) about “data element.” The idea follows Xi Jinping’s vision to transform data into factors of production and serves the foundation of a new integrated digital realm that offers policy and business advice based on data from different fields such as transportation, medicine, climate, and material science. Whether these were rhetoric or could contribute economic growth remains to be seen, but their media exposure already stimulates research and development in artificial intelligence. The Chinese government is taking proactive steps to explore the potential of data. However, the importance of keeping data security in pace with these new developments cannot be overstated. After all, despite the performance of the Chinese police, the hacker did not compromise Xu Yuyu’s private information from a corporate source but an official one.

(posted by Gus Tsz-kit Chan)

[1] The list includes the Office of the Central Leading Group for Cyberspace Affairs, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, Ministry of Transport, Ministry of Agriculture and Rural Affairs, Ministry of Commerce, Ministry of Culture and Tourism, National Health Commission, Ministry of Emergency Management, People’s Bank of China, State Administration for Financial Regulation, National Healthcare Security Administration, Chinese Academy of Sciences, China Meteorological Administration, National Cultural Heritage Administration, and National Administration of Traditional Chinese Medicine.