Security researchers have spotted a mass data leak from an unsecured database which exposed the personal details of over 2.5 million surveilled Chinese residents.
SenseNets Technology uses AI-powered technology in facial recognition cameras to record the movements of millions of minority Uighurs in the western province of Xinjiang, according to reports.
China has come under increasing international criticism for its treatment of the Muslim minority group, sending hundreds of thousands to ‘re-education camps’ in the desert.
Dutch researcher, Victor Gevers, made the revelations in a series of tweets late last week. The database in question exposed names, ID card numbers, birth dates, location data, employer and more on the tracked individuals.
“There is this company in China named SenseNets. They make artificial intelligence-based security software systems for face recognition, crowd analysis, and personal verification. And their business IP and millions of records of people tracking data is fully accessible to anyone, he explained.
“This database contains over 2,565,724 records of people with personal information like ID card number (issue & expire date, sex, nation, address, birthday, passphoto, employer and which locations with trackers they have passed in the last 24 hours which is about 6,680,348 records.”
The latter are said to have tracked individuals to specific locations such as mosques, hotels and internet cafes.
The original database was left exposed without any authentication needed. So far, the firm’s attempts to mitigate the privacy leak have faltered.
“Dear operators of SenseNets. It's a good thing you starting update that crappy Windows Server 2012 (which is pirated btw). But you switched off the firewall exposing your MongoDB and MySQL server AGAIN,” tweeted Gevers over the weekend.
He also cautioned that while such “advanced traffic monitoring” systems were by and large blocked to users outside of China, the same is not true of those inside the Great Firewall.
“With a Chinese proxy, they are accessible and open,” said Gevers, who works for non-profit the GDI Foundation. “In the last 17 days, over 86 million 'objects' were tracked. In January 386 million.”
The privacy snafu has shone a light on the scale of China’s authoritarian surveillance apparatus. Already a world leader in online censorship, under Xi Jinping the state is now extending its power to snoop into the lives of those deemed a security risk.
Felix Rosbach, product manager at comforte AG, described the incident as like 1984 “but with an even worse twist.”
“Sometimes personally identifiable information sits in silos and hackers only get access to a small amount of data which hold not that much of a value. But with the use of unique identifiers, like national identity card numbers, it is possible to combine datasets of multiple breaches. This enables hackers to use complex identity profiles of customers,” he warned.
“The most important thing organizations can do to protect identity information is to pseudonymize it. This ensures that personal data is protected whenever a breach happens and is even more important for IDs like PANs, social security numbers or national identity cards numbers."