Chinese facial recognition company exposes the database of people's locations

From Privacy Wiki
Jump to navigation Jump to search
Chinese facial recognition company exposes the database of people's locations
Short Title Chinese FR Company leaves people's locations exposed
Location Shenzhen, China
Date February 13, 2019

Solove Harm Surveillance, Aggregation, Insecurity, Identification
Information Addresses, Date of Birth, ID card number, Location
Threat Actors SenseNet

Affected The citizens of Shenzhen, China
High Risk Groups Religious Minority
Tangible Harms N/A

SenseNet, a company in Shenzhen, China, which offers facial recognition and crowd analysis that identifies a person though different cities and is able to pick them out from a large crowd failed to protect the database with people's information with a password. According to Victor Geves, a Dutch security researcher with the GDI Foundaton, the database contained over 2.5 million records of people including their addresses, ID card numbers, date of birth and the locations where the facial recognition camera recognized them.Luckily the information from the database was not used in any attack, but when GDI reached out to SenseNet about the open database, SenseNet never replied to the notice. Furthermore, one of the cameras was logging the Uygur population in Xinjiang, a Muslim minority group that the Chinese government has been accused of targeting with human rights abuses. The database was open to the public for anyone to find with full access meaning that a malicious actor could add or delete records from the database. According to Gevers, while the database was open, someone tried to hold the database for ransom, but failed. Overall, SenseNet's lack of protection on their database could have led to millions of people having their records exposed and become subject to identity theft or worse.


A security researcher discovered a Chinese facial recognition company that left their database with the records of millions of people exposed online revealing information such as ID card numbers, addresses, date of births, etc. The company leaving the database exposed is an insecurity harm because they failed to protect the information of the people who were on the database since they did not have a password on the database.

Laws and Regulations