Millions of faces and car license plates were stored in a sizable Chinese database that was publicly accessible for months before it was silently removed in August.
A tech business called Xinai Electronics with headquarters in Hangzhou on China’s east coast is the owner of the disclosed data. In China, the firm creates systems for regulating entry for people and cars to workplaces, schools, construction sites, and parking lots. Its website boasts the use of facial recognition for a variety of uses beyond building access, including personnel management, such as payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system enables drivers to pay for parking in unattended garages that are managed by staff remotely.
In addition to other personal information like the person’s name, age, and sex, the database also included links to high-resolution photos of faces, including those of construction workers entering construction sites and office visitors checking in. Resident ID numbers are China’s equivalent of national identity cards. The database also contained information on the license plates of vehicles that were captured by Xinai cameras at parking lots, driveways, and other workplace entryways.
Although its contents may not seem noteworthy for China, where state monitoring is pervasive and face recognition is commonplace, its scale is astounding.
The surveillance state in China extends far into the private sphere, enabling law enforcement agencies near-unrestricted access and the ability to follow individuals and vehicles all around the nation. Facial recognition technology is utilized by China to monitor its enormous population in smart cities, but it is also used to track minority communities that Beijing has long been accused of suppressing.
Anurag Sen, a security researcher, discovered the company’s exposed database on a server hosted by Alibaba in China and requested TechCrunch’s assistance in notifying Xinai of the security breach.
Sen said that the database had hundreds of millions of entries and complete web URLs for picture files that were housed on various domains controlled by Xinai, and that it had an alarming quantity of data that was continuously expanding by the day. However, neither the database nor the hosted picture files had password protection, making them accessible from a web browser to anybody who knew where to look.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.