Unsecured databases leak 90 million records of people and businesses in China

clock • 2 min read

Jiangsu Provincial Public Security Department ElasticSearch database had been made publicly accessible with full admin rights

Two databases lying unprotected on the internet leaked records of more than 90 million people and businesses in China last week, a security researcher has claimed.

The databases belonged to the Jiangsu Provincial Public Security Department in China and contained more than 26GB of data. In total, they contained 58,364,777 citizen records and 33,708,010 business records.

The databases were first spotted by Sanyam Jain, an independent security researcher and a member of the GDI Foundation.

Jaim noticed that two databases were being leaked by a publically accessible ElasticSearch server. They contained personally identifiable information on individuals, including their names, date of birth, gender, ID numbers, and their location coordinates.

They also contained data fields named 'city_open_id', 'city_relations', and 'province_open_id' for individuals.

For businesses, the records included details for business types, business IDs, location coordinates, 'city_open_id', and other information.

Jain said that the database leak occurred due to a misconfigured ElasticSearch cluster, which granted full admin rights to anyone who tried to access the database.

Jain reported the incident to the Jiangsu Provincial Public Security Department as well as CNCERT/CC, asking them to have two databases secured.

While the Jiangsu Provincial Public Security Department failed to respond to Sanyam's message, CNCERT/CC was quick to contact the database owner, who eventually took down the unsecured database over the weekend.

This is, however, not the first instance of a database leak exposing personal information on millions of people in China.

Since the beginning of the year, publicly accessible ElasticSearch clusters have exposed about 33 million records of Chinese job seekers, more than 108 million bets from online casinos, and thousands of sensitive legal documents.

In March, an unsecured database in China leaked the personal information on more than 1.8 million women, also revealing their "BreedReady" status.

Also in March, 18 MondoDB databases in China were found to be exposing personal details of millions of accounts on six social platforms in the country.

Related Topics

You may also like
US to block TikTok - ByteDance vows to fight back

Legislation and Regulation

US to block TikTok - ByteDance vows to fight back

Talks about a ban have finally progressed past the theoretical stage

clock 25 April 2024 • 3 min read
ToddyCat cybercriminals using high-end tools to commit 'industrial scale' theft

Threats and Risks

ToddyCat cybercriminals using high-end tools to commit 'industrial scale' theft

ToddyCat restrict access to compromised systems while they steal valuable data.

clock 23 April 2024 • 2 min read
Apple pulls two major messaging platforms from China App Store

Mobile Software

Apple pulls two major messaging platforms from China App Store

Chinese government cites security concerns

clock 22 April 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Privacy

UK data regulator finds gaps in Google's Privacy Sandbox proposals
Privacy

UK data regulator finds gaps in Google's Privacy Sandbox proposals

Concerns shared with the Competition and Markets Authority

Dev Kundaliya
clock 22 April 2024 • 3 min read
Google to erase private browsing data
Privacy

Google to erase private browsing data

The company will also block third-party cookies for five years

Dev Kundaliya
clock 03 April 2024 • 2 min read
Avast faces fine for tracking and selling user data
Privacy

Avast faces fine for tracking and selling user data

Claimed to protect data, but collected and sold it instead

Dev Kundaliya
clock 25 February 2024 • 2 min read