Public Security Department of Jiangsu Province of China exposes 90 million records

• The Elasticsearch cluster contained two databases exposing over 90 million people and business records.
• The leaky databases contained almost 58,364,777 public records and 33,708,010 business records.

An independent security researcher Sanyam Jain uncovered a misconfigured Elasticsearch cluster owned by the Public Security Department of Jiangsu Province, China on July 1, 2019. The Elasticsearch cluster contained two databases exposing over 90 million people and business records.

What data was exposed?

The leaky databases contained more than 26 GB of data including public records. The open databases contained almost 58,364,777 public records and 33,708,010 business records.

• Public information includes names, dates of birth, genders, identity card numbers, location coordinates, as well as city information.
• Business records included business IDs, business types, location coordinates, city_open_id, and memos designed to track the owner of the business.

Worth noting

Apart from the two unsecured Elasticsearch databases, the Public Security Department also had a password protected Public Security Network admin console and a publicly-accessible Kibana installation running on the same server which would help browse and analyze the stored data using a GUI-based interface.

What was the response?

On July 2, 2019, Sanyam Jain notified the Public Security Department of Jiangsu Province and the CNCERT/CC about the misconfigured Elasticsearch cluster. However, the researcher did not receive any response.

Later, on July 5, 2019, CNCERT/CC responded back saying that the owner has been notified. The databases were then secured on July 8, 2019.