Displaying items by tag: data leak
The profiles and personal messages of 364 million users of Chinese social media sites were leaked online, exposing private records such as photos and identity card numbers which were being gathered by the Chinese government through a surveillance program.
Cybersecurity researcher for the NGO GDI Foundation, Victor Gevers, revealed in a series of tweets that the Chinese government was using a social media surveillance program which was “retrieving messages per province from 6 social platforms and extracts named, ID numbers, ID photos, GPS locations, network information, and all the conversations an file transfers get imported into a large online database.”
He continued “Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The date is then distributed over police stations per city/province to separate operators’ databases with the same surveillance network name.”
Gevers went on to say that the program used to retrieve all the private and sensitive information looked “like a jerry-rigged PRISM clone of the NSA.” NSA was the US government’s surveillance system that Edward Snowden revealed back in 2013.
In a direct message on Twitter, Gevers voiced some of his concerns regarding the situation.
“These surveillance systems are dangerous when they are open and fully accessible to anyone, which increases the risk of remote data manipulation. We have seen databases get ‘ransomed’ in the past.”
A great deal of the leaked data included information about cybercafés, which Gevers pointed out in a screenshot and said that those cafes may have been used as a potential tool to gather data on users.
QQ and WeChat were among the six Chinese messaging services which are both operated by Tencent.
In the past, WeChat denied their monitoring of user chat logs for government surveillance, however according to the Chinese legal system, all internet companies operating in China are expected to collect and store user data locally in case of an official inspection.
Security researcher Jane Manchun Wong said: “If sensitive information was exchanged in some of those conversations, it could have been sold to black markets, the same way how stolen credit card info from compromised databases work.”
She continued, “Except this one, it’s effortless to hackers. They could essentially just walk in and everything seems to be in plain text and accessible without any login information.”
The database was allegedly secured after Gevers exposed the issue.
There have been a few major leaks in China over the past few years.
Just last month Gevers reported a case regarding a Chinese tech company, SenseNets, which stored the data of 2.6 million people in the region of Xinjiang which is of Muslim majority and is under heavy police surveillance. The data included the ID numbers and addresses of the residents.
200 million US citizens have had their sensitive personal data exposed accidently by a marketing firm contracted by the Republican National Committee. The data – which included 1.1 terabytes worth of information such as birth dates, home addresses, telephone numbers, and political views of about 62 percent of the entire US population – was available on a publicly accessible Amazon cloud server.
The vulnerable data, according to a BBC report, was discovered by Chris Vickery, a cyber-risk analyst with the security form UpGuard. The huge amount of data appears to have been collected from a wide range of sources, including posts on controversial banned threads on social network Reddit, to committees that raised funds for the Republican Party.
The data was stored in spreadsheets uploaded to a server owned by Deep Root Analytics, a media analytics firm. According to the BBC, it has last been updated in January when President Donald Trump was inaugurated and had been online for an undisclosed period of time.
Alex Lundry, the founder of Deep Root Analytics, told tech website Gizmodo: “We take full responsibility for this situation. Based on the information we have gathered thus far, we do not believe that our systems have been hacked.” Lundry added: “Since this event has come to our attention, we have updated the access setting and put protocols in place to prevent further access.”
The data included very personal details about US citizens such as their suspected religious background and affiliations, their ethnicity and political stances, such as where they stood on controversial issues like gun control and abortion rights. The file names and directories suggested that the data was supposed to be used by Republican political organizers to create a profile on as many voters as possible by using all available data.
A blog post by Dan O’Sullivan on UpGuard’s website reads: “That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling.”
O’Sullivan added: “The ability to collect such information and store it insecurely further calls into questions the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.”
The information leak is said to be the largest in the US to date and has caused grave concern among privacy experts because of the sheer scale of the data gathered. Privacy International’s policy officer, Frederike Kaltheneur told the BBC: “This is deeply troubling. This is not just sensitive, it’s intimate information, prediction about people’s behavior, opinions and beliefs that people have never decided to disclose to anyone.”