According to media reports, a database with 800 million records, including photographs of faces and license plates, was openly available on the Internet till August. The data came from surveillance cameras from Chinese manufacturer Jinai Electronics.
Manufacturer’s systems are intended to provide access control for people and vehicles, for example at workplaces, multi-storey car parks, schools or construction sites. as TechCrunch told, the company not only wants to implement access control with it, but also enable monitoring of employee attendance, for example for payroll purposes. On the other hand, cloud systems should enable car park operators to scan license plates, for example, without on-site employees collecting parking fees.
“Safe data on company servers”
Xinai operates an extensive network of cameras throughout China. From this the company collected millions of photographs of faces and license plates. On the company’s website, Zinnai claims that the data is securely stored on its servers. It turned out to be a hollow promise.
IT security researcher Anurag Sen found an insecure database on a server hosted by Alibaba in China. According to Sen, the database contained a huge repository of information and it was growing rapidly day by day. After all, it contained hundreds of millions of records and entire web addresses of image files hosted on multiple domains belonging to Xinai. Neither the database nor the hosted image files were password protected and could be accessed via a web browser by anyone who knew where to look.
The database also contained links to high-resolution photos of faces. For example, construction workers entering construction sites, office visitors and other personal information such as the person’s name, age, gender and resident ID number. This also included recording license plate numbers captured by cameras in parking garages, driveways and other office entrances.
Multiple searchers of database
As TechCrunch points out, Sen wasn’t the only one who searched the database. In an undated ransom note, an extortionist claimed that he had stolen the contents of the database and would restore the data in exchange for a few hundred dollars in cryptocurrency. It is not known whether the blackmailer stole or deleted the data. However, the blockchain address mentioned in the ransom note did not receive any funds.
The database disappeared in mid-August and was no longer accessible. China has a data protection law in place since November 1, 2021, which, for example, provides for companies to obtain their consent before data is collected and processed. But government agencies have been left out. Obviously, this doesn’t curb the data-collecting frenzy either.
About two months ago, it became known that about a billion data sets had been stolen from the Shanghai Police. It remains to be seen whether recent data protection laws will improve the Chinese population in the future.
Reader. Organizer. General creator. Zombie fanatic. Alcohol advocate. Food junkie. Bacon ninja.