China – Faces and Vehicle License Plates Leaked

Another large-scale data breach reveals new vulnerabilities in China’s extensive surveillance state.



Although its contents may not seem noteworthy for China, where state monitoring is widespread and facial recognition is commonplace, its scale is astounding. A significant data leak of 1 billion records from a Shanghai police database in June was the largest known data security breach of the year by magnitude. At its peak, the database had over 800 million records. Both times, it’s likely that human error led to the data being accidentally released.

A tech company called Xinai Electronics is the owner of the leaked data. The business creates systems for restricting access to buildings, parking lots, construction sites, and workplaces in China for both people and cars. On its website, the company promotes the use of facial recognition for a variety of uses beyond building access, for example, personnel management, such as payroll, monitoring employee attendance and performance, and its cloud-based vehicle license plate recognition system, which enables users to pay for parking in unattended garages that are managed by staff remotely.

Millions of face prints and license plates have been collected by Xinai through a massive network of cameras, and according to the company’s website, the data is “securely stored” on its servers.

Anurag Sen, a security researcher, discovered the organization’s exposed database on a Chinese server hosted by Alibaba.

Sen claimed that the database had hundreds of millions of records. But neither the database nor the hosted image files had password protection, so anyone with the right information could access them via a web browser.

In addition to other personal information like the person’s name, age, sex, and resident ID numbers. The database also included links to high-resolution photos of faces, including those of construction workers entering construction sites and office visitors checking in. The database also contained information on vehicles’ license plates captured by Xinai cameras in parking lots, driveways, and other office entryways.

The Personal Information Protection Law, China’s first comprehensive data protection law, which is seen as China’s answer to the GDPR privacy regulations in Europe, was passed last year. Its goal is to restrict the amount of data that businesses collect while broadly exempting the police and other governmental organizations that makeup China’s extensive surveillance state.

However, following two significant data breaches in recent months, the Chinese government and IT firms are finding that they are both ill-prepared to protect the enormous amounts of data that their surveillance systems gather.