The Shanghai police database leak refers to the unauthorized disclosure of sensitive personal information and police case data from the Shanghai National Police Database, also known as the SHGA Database, in early July 2022. The leaked data, totaling over 23 terabytes, includes details of more than one billion Chinese residents, encompassing names, addresses, birthplaces, resident ID card numbers, phone numbers, photos, mobile phone numbers, and information on criminal cases. The data was made available for sale on the internet by an unidentified hacker, who demanded a price of 10 bitcoins.[1] [2]
The origin of the leaked information is believed to be the Shanghai Public Security Bureau, although this has not been officially confirmed. Screenshots shared online revealed a vast amount of intricate police information, such as the time of reporting criminals, the contact numbers of reporting individuals, and the reasons for reporting. Notably, initial analysis indicated that the personal data originated from residents all across mainland China, rather than being limited to Shanghai alone.[3] [4]
If the reported volume of data is accurate, the Shanghai police database leak would be regarded as the largest and most significant incident of its kind since 1949.[5] The news of the leak faced censorship on the social platform Weibo in mainland China, potentially to impede its spread. The authorities have not yet acknowledged or publicly addressed the incident. Despite inquiries sent by Bloomberg to the Central Cyberspace Administration of China and the Shanghai Police Bureau, no responses have been received thus far. Bloomberg criticized the lack of transparency and disclosure surrounding data breaches in the People's Republic of China, citing previous incidents such as the leakage of personal information of Communist Party members in 2016, the Weibo account information leak in 2020, and the information leakage from Xinjiang re-education camps in 2022. Cybersecurity researcher Vinny Troia claimed he discovered the leak over a year before the server was eventually shut down.[6]