Too bad then the hackers steal them and sell them online even at a ridiculously low price. It happened in these hours in Shanghai, China, a city of 25 million inhabitants. Tomorrow it could also happen to us, given the ease with which cyber pirates have taken possession of the extremes, with unpredictable effects on people’s health. Illegal markets for health, human organs, the black market for drugs and illegal health tourism are the first to take advantage.

A hacker with the name “XJP” has put up for sale those of 48.5 million users, namely the mobile app with the Covid health code managed by the city of Shanghai. The “XJP” hacker sells the data for only US $ 4,000 (RM 17,777, i.e. Renminbi, the official currency of China) and does so on the hacker forum Breach Forums. It initially asked for US $ 4,850 (RM 21,554) before lowering the price on the same day as the sale was launched. Not only Chinese are involved in the case, but all those who have visited Shanghai in the last 2 years. “This DB (database)”, wrote XJP in the post, “contains the data of all those who have lived in or visited Shanghai since the adoption of Suishenma.”

Suishenma is the Chinese name for the Shanghai health code system, which the city, like many throughout China, established in early 2020 to combat the spread of Covid-19. All residents and visitors must use it. The app collects travel data to give people a rating, red, yellow, or green, depending on the individual’s likelihood of contracting the virus. Citizens must show the code every time they want to enter public places.

To prove that he was in possession of the health specifications, the hacker provided a sample of data from 47 people, including names, telephone numbers, the identifiers of the system and the status of the health code.

There immediately started hunt for the 47 who were reached by phone calls from journalists from Reuters. Everyone had used the App and provided their data even though two of the interviewees claimed their identification numbers were wrong.

It is the second sensational case in little more than a month: at the beginning of July they came The data of a billion people were stolen from the police database and put up for sale on the dark web for 10 bitcoins, that is over 198,000 dollars. The most disturbing aspect is the ease with which the hackers have gained possession of the data.

Regarding the theft in July, an investigation by Wall Street Journalsupported by cybersecurity experts, said a dashboard for managing a police database had been left open on the internet, i.e. public and without password protection for more than a year. Neither the Shanghai government nor the police commented on the matter.

Regarding the last case, the data is managed by the city government and users access Suishenma through the Alipay app, owned by the Fintech giant, an affiliate of Alibaba, Ant Group, and the WeChat app of Tencent Holdings.

The journalists who spoke and followed the story tried to collect a comment from XJP, from the Shanghai government, of Ant Group and Tencent but for now it seems that no one has responded to the requests.

