While the DGP said no sensitive or financial data of any user has been compromised, the repeated data leak incidents have come as a wake-up call for the department. The TGCSB has now initiated comprehensive monitoring, vulnerability assessments, and penetration testing (VAPT) across all internal and external networks, web and mobile applications, as well as cloud and endpoints to identify and address any security weaknesses and prevent any future breaches, a press statement from the DGP said.

The investigation found that the accused hacked the police department’s portals to illegally obtain the data he wanted to sell for a price. Further investigation is on to determine if any other individuals are involved in the crime. Incidentally, the accused, Jatin Kumar, a native of Jhansi, was arrested by the special cell at the Dwarka police station in New Delhi last December in a similar case of hacking in which he allegedly leaked Aadhaar data and other critical information related to sensitive institutions. . He was out on bail.

This time, the accused posted details of the breach on databreachforum.st and offered the data from HawkEye and TSCOP applications for sale at $150. He also provided his Telegram IDs ‘Adm1nfr1end’ and ‘Adm1nfr1ends’ so prospective customers could contact him. The police traced him to Greater Noida and nabbed him on Saturday.

TGCSB director Shikha Goel, without divulging details about the type or volume of data breach, said the breach did take place but did not result in data loss. “The hacker has not deleted the data or made it unusable. So we never lost it. The hacker has not taken control of our systems or disabled them. He gained access and gathered information which he said was available for people for money,” she told indianexpress.com.

Records of criminals, details of gun licenses issued, and information about police stations and officers, including their insurance claim details, are among other data from the TSCOP database that the hacker posted as sample data on forums. Data security researcher Srinivas Kodali said that a 20-year-old could hack into systems is surprising.

“This shows the police had pretty much no security. Telangana Police have everyone’s birth to death record and even if the person dies, we want to save it for 75 years. That is the mandate from the Ministry of Home Affairs,” adds Kodali, calling for a total redesign of all systems and its continuous evaluation.

According to the police, due to a weak or compromised password, the hacker could have obtained access to certain segments of HawkEye data and gained the data by generating a report.

The HawkEye mobile application launched in 2014 allows citizens to report violations to the police, especially crimes against women, and features an SOS button for emergency assistance. It retains user information such as mobile phone numbers, addresses and email IDs as part of its data repository.

The police said TSCOP, launched in 2018, had been solely used for in-house tasks, guaranteeing no collection of confidential/financial user data. They also added that the application does not collect visitor or hotel management data. After the data breach incident came to light, allegations such as collecting customer data from hotels and sharing it with a third-party company abroad cropped up on social media.

“TSCOP does not collect any hotel visitor data. It is incorrect to say that TSCOP pushed/gave such data to any third party,” the DGP said in the press note. He also denied claims of breach of the SMS server URL of Hyderabad city police and added, “The URL has been defunct and unsubscribed since April 2022, with Hyderabad city police ceasing its usage long before that.”

Kodali had posted screenshots of the TSCOP app code on X, claiming that police collected the data of people checking into hotels and shared it with Zebi, a blockchain platform based in the US. Kodali says he is not surprised because a colonial law such as the Sarais’ Act of 1867 enables the police department to collect information on every individual who checks in to a hotel and that this law is widely used even today given its modern context of threats from terrorists.

“Because these instances are out in the open, we can talk about it. The leak could have been much worse than what we know. We don’t know at what scale the impact has taken place. There could be scenarios that have not come out,” he adds.

TSCOP, he says, is a giant interconnected internetworked set of computers, servers, and databases with facial recognition, fingerprint recognition, etc, integrated into one app. “And since it is integrated with CCTNS (Crime and Criminal Tracking Network and Systems) that allows Telangana police to access details from across the country, such a vulnerability at one point in the network means anyone in the entire system is accessible to them.”