A Chinese facial recognition company left its database exposed online, revealing information about millions of people, a security researcher discovered.
SenseNets, a company based in Shenzhen, China, offers facial recognition technology and crowd analysis, which the company boasted in a promotional video could track people across cities and pick them out in large groups.
But the company failed to protect that database with a password, Victor Gevers, a Dutch security researcher with the GDI Foundation, discovered Wednesday. The database contained more than 2.5 million records on people, including their ID card number, their address, birthday, and locations where SenseNets’ facial recognition has spotted them.
From the last 24 hours alone, there were more than 6.8 million locations logged, Gevers said. Anyone would be able to look at these records and track a person’s movements based on SenseNets’ real-time facial recognition.
“Knowing when someone is not in the office or at home can be useful for simple burglar crimes, but also social engineering attacks to get into buildings,” Gevers said in a message.
He said that GDI Foundation reached out to the company to warn it about the open database, which has been available since July. SenseNets did not respond to a request for comment.
Logged locations include police stations, hotels, tourism spots, parks, internet cafes and mosques, Gevers said. The researcher found that there were 1,039 unique devices tracking people across China.
One camera was logged monitoring the Uygur population in Xinjiang, a Muslim minority group that the Chinese government has been accused of targeting with human rights abuses.
The database was available online for anyone to find, and it allowed for full access — meaning a malicious actor could add or delete records from the database, Gevers said. While it was available, the security researcher saw that someone had tried to hold the database ransom in the past.
Along with the location records, thieves could have also stolen sensitive information like people’s addresses and ID numbers.
Facial recognition is pervasive in China, used to monitor citizens across the country. By 2020, China plans to give each citizen a social credit score, tracked through facial recognition logging behaviors like jaywalking and shopping frequency. There are about 200 million surveillance cameras in China, and plans to more than triple that much by next year.
The technology has often been criticized as an invasion of privacy, as it allows government agencies to track citizens in real-time without their consent. In the US, the Orlando police department experimented with facial recognition tracking individuals using Amazon’s Rekognition technology.
SenseNets’ exposed database logged each time a person was recognized by facial recognition from a tracker spread around the city. Each camera has an individual name and an IP address tied to a location, Gevers said.
First published at 10:16 a.m. PT.
Update at 2:45 p.m.: Adds details on where these locations were logged.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
: Don’t sell facial recognition to government.