The personal details of more than 100 Australian citizens — including a former federal MP — are among those exposed by a hacker in a huge leak of records stolen from Chinese police authorities.
Last week, a hacker claimed in an online forum that they had stolen 1 billion records, mostly belonging to Chinese citizens, in an ongoing bid to sell the information for 10 bitcoins, or almost $300,000.
The reports provide a rare insight into how authorities crack down on political dissent and persecute minorities in China, including Uyghurs and Falun Gong practitioners.
That hacker posted three sample data sets online, amounting to 750,000 individual records.
The ABC called 20 individuals in China who were identified in the leak to confirm the authenticity of the police reports.
Cybersecurity experts and other media have also verified some of the data from the 23-terabyte database.
However, the overall size of the files and the data breach have not been confirmed by Chinese authorities, who remain tight-lipped.
In one Shanghai police file that has 250,000 entries, the ABC found personal details of a former Australian federal MP, who had called police to report a theft from the boot of a car in 2004.
The ABC has contacted the individual but has not received a response.
Dozens of Australian citizens were also identifiable in that data set, along with their passport details, home addresses, birthdays and police reports.
More than half of the Australian records were related to failure to register with local police within 24 hours of their arrival in China, a requirement of China's Exit and Entry Law, which came into effect in 2013.
The records span more than 20 years from 1995 to 2019.
China's Cyberspace Administration, Australia's Department of Foreign Affairs and Trade, the Australian Federal Police and the Australian Cyber Security Centre have all been contacted for comment.
All mentions of the leak were censored on popular Chinese social media platforms Weibo and WeChat.
On Weibo — the Chinese equivalent of Twitter — the Chinese keywords "Shanghai database" and "data breach" have been banned since last week, but posts questioning the authenticity of the database that avoided those key words remain online.
'There is data, so there is money'
Robert Potter — the co-founder of cybersecurity firm Internet 2.0 — told the ABC he had assessed the data sets and they appeared to be authentic because the records are like other Chinese government data systems he has evaluated in the past.
"Given the scale of the data set, it'd be hard to make large-scale changes," Mr Potter said.
He said the leaked information had come from an Alibaba cloud server.
Since 2019, the Shanghai Public Security Bureau has been storing its database on a cloud service provided by Alibaba.
The ABC has contacted Alibaba for comment.
Mr Potter suggested Australians who found their names on the list should get a new passport.
Monash University cybersecurity and cybercrime specialist Lennon Chang said the amount of data that was leaked by the hacker was "unprecedented".
"This is a huge database, including all the personal information and the criminal records that have been kept [by the police]," Dr Chang said.
By posting some of the records online, Dr Chang explained, the hacker was showing the data set is accurate to attract more potential buyers.
"He's not just trying to sell to one person," Dr Chang said, adding that many people were searching for the sample data and trying to play with it.
"There is data, so there is money."
Police data reveals investigations into minority groups
The leak reveals a series of police investigations into human rights activists and people from religious minorities, including Muslim Uyghurs and Falun Gong practitioners.
China has reportedly detained more than one million people from Muslim ethnic groups, including Uyghurs and Kazakhs, in re-education facilities that the state calls vocational training centres.
Falun Gong, a controversial spiritual movement, has been banned in China since 1999, and practitioners around the world claim their fellow members were imprisoned and silenced in an ensuing crackdown.
In one case, the ABC spoke to a woman in China identified in the leak, who confirmed she had reported a Falun Gong practitioner to local police.
Others were contacted by the police for political commentary, including "humiliating" the national leader and posting anti-Chinese Communist Party (CCP) comments on foreign websites.
Unverified reports in the police file showed two people were visited by Shanghai police for posting "inappropriate comments", criticising President Xi Jinping and the CCP on Twitter via a Virtual Private Network (VPN) in 2018 and 2019.
In one of the police reports, which the ABC has not been able to independently verify, a Uyghur police officer called the local police for help because a Shanghai hotel would not allow him to check in.
The report said it was due to his Uyghur background, which Chinese authorities often consider as linked to terrorism or a security threat.
In another incident, Shanghai police inspected a hotel room where a Uyghur guest stayed in 2018, and wrote in the report that chances of terrorism had been ruled out.
Data leak comes as Xi Jinping makes historic third bid for president
While the identity of the hacker remains unknown, the incident again exposes the challenge China faces when it comes to data vulnerability.
China passed a new Personal Information Protection Law last November, tightening rules around data collection, use and storage as Beijing intensified its control and collection of data during the pandemic.
Dr Chang said hacking, or leaking citizens' private information, would be viewed as breaking the law.
"It is actually good timing to allow us to see whether the data protection law is in action with the Chinese government," he said.
Dr Chang said another possible intent of the data leak might be to disrupt or impact Mr Xi's bid for a third term as party leader.
"What I'm more interested to see is the timing of the leaking of this data," Dr Chang said.
The CCP will hold its annual meeting in a few months, and it is widely expected that Mr Xi's tenure will be extended for a third term.
It is a crucial moment for the country's political stability as Mr Xi's opponents are expected to challenge his power, even though many of them have been stifled as his anti-corruption campaign intensified.