In China, a database containing around 800 million faces and license plates was apparently freely accessible on the Internet for several months. The data allegedly originated from surveillance cameras made by Xinai Electronics.
Surveillance company failed to secure database
The company provides electronic access control for people and vehicles. Throughout China, Xinai Electronics’ cameras are used in places such as schools, construction sites, businesses and parking garages. In addition to checking access authorizations, the company also offers automatic billing in parking garages and permanent monitoring of employee presence at the workplace.
On its own website, Xinai confidently claims that the data collected in the process is stored securely on its own servers. However, this has now turned out to be untrue. According to IT security researcher Anurag Sen, the data was stored unprotected on servers belonging to the Chinese company Alibaba. The rapidly growing data set contained high-resolution photos of license plates and faces. It also contained related information such as the names, ages and resident IDs of the people pictured. Sen was able to show that all this data could be freely accessed from the Internet without password or other protection. All that was required was knowledge of the Internet address.
Ransom demand related to the data
In addition to the IT security researcher, at least one other person discovered the data set, which was openly accessible until August. This is how the company was confronted with a ransom demand. As part of this, an unknown person demanded a monetary payment and claimed to have stolen the stored data. She would only release it upon receipt of the payment. The company apparently did not respond to the extortion; no money was received at the blockchain address provided.
It is unclear whether the person behind the extortion has anything to do with the disappearance of the database from the network, as Xinai Electronics has not yet commented publicly. It is also conceivable that the company itself took the database offline after the lack of protection became known.
Data protection in China
Since November 2021, China has had a data protection law that requires private companies to obtain consent from data subjects before processing personal data. However, the data protection law in the dictatorship has hardly taken effect so far: state agencies that collect and analyze data on a large scale are exempt from regulation and private companies, as the current example shows, do not necessarily comply with the requirements. The exemption of state agencies is not only problematic in this regard, as the authoritarian regime uses the data as a basis for disciplining its citizens; the lack of protection for the data has also led to it being stolen in the past, allowing third parties to use it for other purposes. Recently, for example, around one billion data records were stolen from the Shanghai police.