Chinese facial recognition company exposes the database of people's locations
Chinese facial recognition company exposes the database of people's locations | |
---|---|
Short Title | Chinese FR Company leaves people's locations exposed |
Location | Shenzhen, China |
Date | February 13, 2019 |
Solove Harm | Surveillance, Aggregation, Insecurity, Identification |
Information | Addresses, Date of Birth, ID card number, Location |
Threat Actors | SenseNet |
Individuals | |
Affected | The citizens of Shenzhen, China |
High Risk Groups | Religious Minority |
Tangible Harms | N/A |
SenseNet, a company in Shenzhen, China, which offers facial recognition and crowd analysis that identifies a person though different cities and is able to pick them out from a large crowd failed to protect the database with people's information with a password. According to Victor Geves, a Dutch security researcher with the GDI Foundaton, the database contained over 2.5 million records of people including their addresses, ID card numbers, date of birth and the locations where the facial recognition camera recognized them.Luckily the information from the database was not used in any attack, but when GDI reached out to SenseNet about the open database, SenseNet never replied to the notice. Furthermore, one of the cameras was logging the Uygur population in Xinjiang, a Muslim minority group that the Chinese government has been accused of targeting with human rights abuses. The database was open to the public for anyone to find with full access meaning that a malicious actor could add or delete records from the database. According to Gevers, while the database was open, someone tried to hold the database for ransom, but failed. Overall, SenseNet's lack of protection on their database could have led to millions of people having their records exposed and become subject to identity theft or worse.
Description
A security researcher discovered a Chinese facial recognition company that left their database with the records of millions of people exposed online revealing information such as ID card numbers, addresses, date of births, etc. The company leaving the database exposed is an insecurity harm because they failed to protect the information of the people who were on the database since they did not have a password on the database.