The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Here are four big questions about the massive Shanghai police leak

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Good morning and happy Wednesday! Make sure you tune in tomorrow, when our esteemed colleague Joe Menn will helm the newsletter – you won't want to miss it.

Below: Federal Trade Commission Chair Lina Khan is under pressure to investigate reports that U.S. user data on TikTok was repeatedly accessed in China, and Marriott acknowledges one of its computers was breached.

We're still learning the details of the China police leak. Here are some key questions.

A potentially massive leak of data from police in China’s most populous city is heightening concerns that sensitive information on a billion Chinese citizens — yes, a billion — could be exposed. 

The data includes personal information like phone numbers and birthdays. But, perhaps most troublingly, it includes reports about crimes like domestic violence and has data from 1995 to 2019, the Wall Street Journal reported.

Billions of records could catapult the leak as one of the largest ever. But much is still not known about the incident, which is raising more questions than answers. Here are four of the biggest questions about the leak:

1. Is the data real?

The leak has sketchy origins, with a pseudonymous user first advertising the data on a hacker forum Thursday. They have released what they called a “sample” amounting to several hundred thousand records from the database.

So far, it appears that at least some of that data checks out. The Wall Street Journal and New York Times separately called people whose data was included in the leak. Nine people who the two outlets called confirmed that details about them in the leak were accurate.

Here’s more from Wall Street Journal reporter Karen Hao:

But Chinese authorities haven’t publicly commented on or confirmed the alleged leak. Shanghai police and China's internet regulator didn't respond to the Wall Street Journal's request for comment.

Such “radio silence” is unusual in the wake of data breaches, but perhaps less unusual for Chinese police who don’t communicate in the same way as Western companies, Troy Hunt, the founder of Have I Been Pwned, a website that lets people check if their data was exposed in data breaches, told me.

The leak comes as Chinese regulators scrutinize the data security practices of Chinese tech firms that they say have collected troves of information about Chinese users. It also comes amid criticism that Chinese authorities are surveilling and amassing massive amounts of data on Chinese citizens as part of a drive to track them and predict crimes, the New York Times reported last month. 

2. Who has the data?

The data is being offered for sale for 10 bitcoin (around $200,000). It’s not clear how many people have approached the seller, “ChinaDan,” to buy the massive trove of data.

It’s also not clear how widely circulated the data was before Thursday, and it's not clear how many people already had access to the data.

The database was accessible online for months before it hit the public spotlight, security researchers told CNN’s Yong Xiong, Hannah Ritchie and Nectar Gan. 

  • That could make the leak even more devastating. If it was indeed “exposed for a long period of time, you'd have to assume other people found it,” Hunt told me.

3. Who was behind the leak?

The origins, provenance and sequence of events leading up to the Thursday post are fuzzy. “ChinaDan” hasn't publicly commented on when they got the data, if they plan to keep trying to sell it and if they have sold it to anyone. They didn’t respond to a request for comment on these issues.

It's also not clear if they are acting alone, are part of a wider operation or are sponsored by a government or other backer.

4. What is the impact?

The leak would amount to a massive blunder if it is legitimate and did in fact lie unsecured for more than a year. It could also lead to real-world harm if particularly sensitive information, like reports of sexual assault and abuse, were to get out.

  • Some of the data said whether people included in the data set had been labeled a “key person” by China's Ministry of Public Security, the New York Times reported. That blacklist has included people with mental illness, people who use drugs and political troublemakers, the outlet previously reported. China doesn't notify people when they've been added to the list.

Although they haven't acknowledged the leak, Chinese authorities have seemingly taken notice of it. They've blocked popular hashtags like “data leak,” “Shanghai national security database breach” and “1 billion citizens’ records leak” on Weibo, a Twitter-like social media network, the Financial Times’s Ryan McMorrow and Gloria Li report. One user said they were even invited to discuss a viral post about the leak with local authorities, McMorrow and Li report.

The keys

Senate Intel chiefs urge FTC to probe data security ‘deception’ by TikTok

Yesterday the leaders of the Senate Intelligence Committee called on Federal Trade Commission Chair Lina Khan to investigate reports that U.S. user data on TikTok was repeatedly accessed in China, a revelation that reignited security concerns over the popular video-sharing app, my colleague Cristiano Lima of The Technology 202 notes. U.S. lawmakers have long expressed concern at the prospect of Chinese government officials gaining or seizing information on U.S. users through the app, owned by Beijing-based tech giant ByteDance.

Chair Mark R. Warner (D-Va.) and Vice Chair Marco Rubio (R-Fla.) urged the agency to probe the company “on the basis of apparent deception by TikTok” regarding its practices. The senators wrote that recent reports “suggest that TikTok has also misrepresented its corporate governance practices, including to Congressional committees such as ours.” The FTC declined to comment.

“For two years, we've talked openly about our work to limit access to user data across regions, and in our letter to senators last week we were clear about our progress in limiting access even further through our work with Oracle,” said TikTok spokesperson Brooke Oberwetter. “As we've said repeatedly, TikTok has never shared U.S. user data with the Chinese government, nor would we if asked.”

Last week, a group of Republican senators decried the recent disclosures and demanded answers from the company in a separate letter. In response, TikTok confirmed to the lawmakers that employees in China can access U.S. user data after clearing security protocols, Bloomberg News reported. In a rare interview Sunday on CNN, TikTok's head of public policy for the Americas Michael Beckerman said the company has “never shared information with the Chinese government, nor would we.”

U.S. government unveils algorithms designed to withstand quantum computers

The National Institute of Standards and Technology announced the first four encryption algorithms that it chose as part of a competition. It comes amid a race to find encryption algorithms that will be able to withstand a generation of quantum computers expected in 15 to 20 years, this newsletter reported in April.

Quantum computers will have more firepower than current computers, making it easy for them to crack a current generation of encryption algorithms that keeps communication such as emails secret as they travel from place to place. The new algorithms “rely on math problems that both conventional and quantum computers should have difficulty solving, thereby defending privacy both now and down the road,” NIST said.

It’s not the end of the road, however. NIST still plans to announce four additional algorithms. It expects the algorithms to be included in a new standard for post-quantum encryption that it’ll finalize in around two years, NIST says. Industry also has to adopt the standard, a process that could take years, this newsletter previously reported.

Hackers briefly breached Marriott, hotel giant says

The hackers say they’re “an international group working for about five years” and stole around 20 gigabytes worth of credit card, employee and guest information from an employee at a hotel near Baltimore-Washington International Airport, CyberScoop’s AJ Vicens reports. Marriott told another website,, that it would notify 300 to 400 people of the breach, as well as regulators.

Marriott “is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer,” a spokesperson told CyberScoop. Their access “only occurred for a short amount of time on one day. Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay,” they said.

The breach comes as Marriott is embroiled in a class-action lawsuit over a breach the company disclosed in 2018. The breach included more than 130 million records, and U.S. officials blamed it on China.

Government scan

DoD issues call for hackers to dig into networks (The Record)

Global cyberspace

The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan (CyberScoop)

Securing the ballot

Georgia grand jury subpoenas Sen. Graham, Giuliani and Trump legal team (Matthew Brown)


  • Col. Candice E. Frost, the commander of U.S. Cyber Command’s Joint Intelligence Operations Center, speaks at a NightDragon event on Thursday at 4:30 p.m. 
  • U.K. Minister of State for Media, Data and Digital Infrastructure Julia Lopez discusses new U.K. data protection rules at an Atlantic Council event on Tuesday at 9 a.m.

Secure log off

Thanks for reading. See you tomorrow.