February 18, 2019

Chinese facial recognition database leak exposes millions, but is “just the start”

By Lucy Ingham

A massive leak that has seen the personal details of 2.5 million people on a Chinese facial recognition database is “just the start” of serious leaks of this kind, according to one cybersecurity expert.

The leak was the result of SenseNets, a provider of Chinese facial recognition systems, leaving an online database unprotected.

The exposed data included tracking location data for the previous 24 hours, ID card numbers, sex, nationality, date of birth, address and employer details. It also included a photo of each of the 2.5 million people affected.

The company has since taken steps to secure the database, which was found by cybersecurity researcher Victor Givors, but the information is now likely to be in the public sphere.

China already makes extensive use of facial recognition in public places, with law enforcement among those already utilising the technology. The country’s use is also set to grow significantly over the next few years.

“Orwell’s 1984”: How the Chinese facial recognition database leak is just the start

Despite representing a gross invasion of privacy for the 2.5 million people affected, the news has not attracted outrage in China due to differences in attitudes around privacy versus the West.

However, cybersecurity experts see the breach as typical of the kinds of issues unsuspecting users are now facing, with Felix Rosbach, product manager at comforte AG, describing the incident as a worse version of the dystopian world captured in George Orwell’s book 1984.

“Welcome to Orwell’s 1984, but with an even worse twist. When bad guys get access to your identity information, things can go terribly wrong,” he said.

He warned that such breaches were likely to become more common due to the way that many companies handle such data.

“This is just the start. Sometimes personally identifiable information sits in silos and hackers only get access to a small amount of data which hold not that much of a value,” he said.

“But with the use of unique identifiers, like national identity card numbers, it is possible to combine datasets of multiple breaches. This enables hackers to use complex identity profiles of customers.”

For companies, the onus is on protecting data as it stored – not just in terms of how it is accessed.

“The most important thing organisations can do to protect identity information is to pseudonymise it,” said Rosbach.

“This ensures that personal data is protected whenever a breach happens and is even more important for IDs like PANs, social security numbers or national identity cards numbers.”