Huge database of Chinese faces and vehicle license plates dumped online – TechCrunch

A huge Chinese database storing millions of faces and vehicle license plates was left exposed on the internet for months before quietly disappearing in August.

While its contents may seem mundane for China, where facial recognition is commonplace and state surveillance ubiquitous, the sheer size of the exposed database is staggering. At its peak, the database contained more than 800 million records, representing one of the largest known data security breaches of the year in terms of scale, following a massive data breach from one billion records from a Shanghai police database in June. In either case, the data was likely exposed inadvertently and as a result of human error.

The exposed data belongs to a technology company called Xinai Electronics based in Hangzhou on the east coast of China. The company builds systems to control people and vehicle access to workplaces, schools, construction sites and parking lots across China. Its website touts its use of facial recognition for a variety of purposes beyond building access, including personnel management, such as payroll, monitoring employee attendance and performance, while its Cloud-based vehicle license plate recognition allows drivers to pay for parking in unattended garages that are managed by staff remotely.

It is through an extensive network of cameras that Xinai has amassed millions of facial prints and license plates, the data of which its website claims is “stored securely” on its servers.

But that was not the case.

security researcher Anurag Sen found the company’s exposed database on a server hosted by Alibaba in China and enlisted TechCrunch’s help in reporting the security breach to Xinai.

Sen said the database contained an alarming amount of information that was rapidly growing day by day and included hundreds of millions of records and full web addresses of image files hosted on multiple Xinai-owned domains. But neither the database nor the hosted image files were password protected and could be viewed from the web browser by anyone who knew where to look.

The database included links to high-resolution photos of faces, including construction workers entering construction sites and office visitors checking in and other personal information, such as name, age and the person’s gender, as well as resident identification numbers, which are China’s answer to identity cards. The database also contained recordings of vehicle license plates collected by Xinai cameras in parking lots, driveways and other office entry points.

Photos of vehicle license plates tracked across China. Picture credits: TechCrunch (composite)

TechCrunch sent several messages regarding the exposed database to email addresses known to be associated with Xinai’s founder, but our emails were not returned. The database was no longer accessible by mid-August.

But Sen is not the only person to have discovered the database while it was exposed. An undated ransom note left by a data extortionist claimed to have stolen the contents of the database, who said he would restore the data in exchange for a few hundred dollars worth of cryptocurrency. It is not known whether the extortionist stole or deleted any data, but the blockchain address left in the ransom note shows that he has not received any funds yet.

China’s surveillance state extends deep into the private sector, giving police and government authorities nearly unfettered access and capabilities to track people and vehicles across the country. China uses facial recognition to track its vast population in smart cities, but also uses the technology for mass surveillance of minority populations that Beijing has long been accused of oppressing.

Last year, China passed the Personal Information Protection Law, its first comprehensive data protection law which is seen as China’s equivalent of Europe’s GDPR privacy rules, which aims to limit the amount of data that companies collect but largely exempts the police and government agencies that make up China. extensive state monitoring.

But now, with two massive data exposures in recent months, the Chinese government and tech companies find themselves ill-equipped to protect the vast amount of data their surveillance systems collect.