FILE PHOTO - Security cameras are installed at the entrance to the Id Kah Mosque during a government organised trip in Kashgar, Xinjiang Uighur Autonomous Region, China, January 4, 2019. Picture taken January 4, 2019. REUTERS/Ben Blanchard

BEIJING (Reuters) - A Chinese surveillance firm is tracking the movements of more than 2.5 million people in the far-western Xinjiang region, according to a data leak flagged by a Dutch internet expert.

An online database containing names, ID card numbers, birth dates and location data was left unprotected for months by Shenzhen-based facial-recognition technology company SenseNets Technology Ltd, according to Victor Gevers, co-founder of non-profit organization GDI.Foundation, who first noted the vulnerability in a series of social media posts last week.

Exposed data also showed about 6.7 million location data points linked to the people which were gathered within 24 hours, tagged with descriptions such as “mosque”, “hotel,” “internet cafe” and other places where surveillance cameras were likely to be found.

“It was fully open and anyone without authentication had full administrative rights. You could go in the database and create, read, update and delete anything,” said Gevers.

China has faced an outcry from activists, scholars, foreign governments and U.N. rights experts over what they call mass detentions and strict surveillance of the mostly Muslim Uighur minority and other Muslim groups who call Xinjiang home.(tinyurl.com/y9zzouss)

According to its website, SenseNets works with China’s police across several cities. Its Shenzhen-listed parent company NetPosa Technologies Ltd has offices in a majority of Chinese provinces and regions, including Xinjiang.

SenseNets and NetPosa, as well as the Xinjiang regional government, did not immediately respond to requests for comment on Sunday.

The Chinese government has ramped up personal surveillance in Xinjiang over recent years, including the construction of an extensive video surveillance system and smartphone monitoring technology.

Gevers said the foundation directly alerted SenseNets to the vulnerability, in line with GDI.Foundation protocol. He said SenseNets did not respond, but that it has since taken steps to secure the database.