- Representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June.
- Exposed data belongs to a tech company called Xinai Electronics.
- The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites, and parking garages across China. Its website touts its use of facial recognition for a range of purposes beyond building access, including personnel management, like payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system allows drivers to pay for parking in unattended garages that are managed by staff remotely.
- Security researcher Anurag Sen found the company’s exposed database on an Alibaba-hosted server in China.
- The database included links to high-resolution photos of faces, including construction workers entering building sites and office visitors checking in, and other personal information, such as the person’s name, age and sex, along with resident ID numbers, which are China’s answer to national identity cards. The database also had records of vehicle license plates collected by Xinai cameras in parking garages, driveways and other office entry points.
- Neither the database nor the hosted image files were protected by passwords and could be accessed from the web browser by anyone who knew where to look.