Hacker Touts Data Sale Of 48.5m Users Of Covid App – Report

The personal data of millions of Chinese citizens is being offered for sale, in the latest privacy breach for the country.

Reuters reported that a hacker, who goes by the username ‘XJP’, posted an offer sell personal information on 48.5 million users of a Covid health code app run by the city of Shanghai for $4,000 on the hacker forum Breach Forums on Wednesday.

This is potentially another major privacy breach of people’s data for Chinese authorities. Last month a hacker called ChinaDan claimed to have stolen data on one billion Chinese citizens from Shanghai police.

Data breach

ChinaDan also made the offer last month on the Breach Forums, saying he wanted to sell the data, made up more than 23 terabytes of information, for 10 Bitcoin, or about $200,000 (£165,000).

The user claimed the data included information such as names, addresses and national ID numbers.

The sheer number of personal data in that case make it one of the biggest data breaches in history.

Now Reuters has reported that a hacker called XJP is touting personal data for sale of 48.5 million Shanghai citizens and visitors.

The hacker apparently provided a sample of the data including the phone numbers, names and Chinese identification numbers and health code status of 47 people.

Eleven of the 47 reached by Reuters confirmed that they were listed in the sample, though two said their identification numbers were wrong.

“This DB (database) contains everyone who lives in or visited Shanghai since Suishenma’s adoption,” XJP reported said in the post on the forum. He originally asked for $4,850 before lowering the price later in the day.

According to Reuters, Suishenma is the Chinese name for Shanghai’s health code system, which the city established in early 2020 to combat the spread of Covid-19.

All residents and visitors have to use the app, which collects travel data to give people a red, yellow or green rating indicating the likelihood of having the virus and users have to show the code to enter public venues.

The data is managed by the city government and users access Suishenma via the Alipay app, owned by fintech giant and Alibaba affiliate Ant Group, and Tencent Holdings’ WeChat app.

Privacy law

Shanghai is a Chinese city of 25 million residents, and is considered to be the financial hub of China.

The city recently endured a tough two month lock down that end in late May, which badly impacted the daily lives of millions of people, and disrupted the local economy and manufacturing operations.

China last year brought in a new privacy law intended to tighten controls on the collection and use of personal data, including stronger rules governing surveillance systems.

The Personal Information Protection Law prohibits “illegally collecting, using, processing, transmitting, disclosing and trading people’s personal information.”

Before this law, China had no rules in place specifically concerning the collection and use of personal data.