Headline
Chinese Police Exposed 1B People's Data in Unprecedented Leak
Plus: A duplicitous bug bounty scheme, the iPhone’s new “lockdown mode,” and more of the week’s top security news.
As states grapple with the far-reaching implications of the United States Supreme Court’s June decision to reverse the constitutional right to abortion, WIRED examined the privacy risks posed by widely deployed automated license plate readers as the risks of being prosecuted for seeking an abortion ramp up around the country. And researchers underscored the digital self-defense value of end-to-end encryption anywhere in the world, as civil rights protections and law enforcement powers evolve.
Apple announced a new protection this week known as “Lockdown Mode” for iOS 16 that will let users elect to run their phone in a more limited, but more secure mode if they are at risk of being targeted with invasive spyware. And researchers say that new encryption algorithms announced by the National Institute of Standards and Technology that are designed to be resistant to quantum computers will be difficult to test in any practical sense for years to come.
We examined how users can protect themselves against the worst Instagram scams and took a look back at the worst hacks and data breaches of 2022 so far, with many more inevitably still to come.
But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!
In one of the most expansive and impactful breaches of personal data of all time, attackers grabbed data of almost 1 billion Chinese citizens from a Shanghai police database and attempted to extort the department for about $200,000. The trove of data contains names, phone numbers, government ID numbers, and police reports. Researchers found that the database itself was secure, but that a management dashboard was publicly accessible from the open internet, allowing anyone with basic technical skills to grab the information without needing a password. The scale of the breach is immense and it is the first of this size to hit the Chinese government, which is notorious for hoarding massive amounts of data, not only about its own citizens, but about people all over the world. China was memorably responsible for the United States Office of Personnel Management breach and Equifax credit bureau breach, among many others worldwide.
FBI director Christopher Wray and the chief of the UK’s security agency MI5, Ken McCallum, issued a joint warning this week that China is, as Wray put it, the “biggest long-term threat to our economic and national security.” The pair noted that China has conducted extensive espionage around the world and interfered in elections and other political proceedings. Wray noted that if China moves to seize Taiwan it would “represent one of the most horrific business disruptions the world has ever seen.” McCallum said that since 2019, MI5 has more than doubled its focus on China and now conducts seven times as many Chinese Community Party-related investigations as it did in 2018. China Foreign Ministry spokesman Zhao Lijian described British officials as attempting to “hype up the China threat theory.” He added that MI5 should “cast away imagined demons.”
The bug bounty program HackerOne, which manages vulnerability submission and reward programs for companies, fired an employee this week for stealing vulnerability disclosures submitted through the platform and submitting them to affected companies to recover the reward for personal gain. HackerOne uncovered the scheme when one customer company flagged a vulnerability disclosure that was suspiciously similar to one it had received in June from a different researcher. The rogue employee, who was new to the company, had access to HackerOne’s platform from April 4 until June 23 and made seven vulnerability disclosures using stolen research. “This is a clear violation of our values, our culture, our policies, and our employment contracts,” HackerOne wrote in an incident report. “We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future.”
The United States Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Treasury Department said in a joint alert this week that North Korean hackers have been targeting the healthcare and public health sectors with the little known Maui ransomware strain. They warned that paying such ransoms could violate US sanctions. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the alert warns. “In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.”