Strike three: Telangana Police network’s slew of data breaches spell trouble for personal citizen data

This post was updated on July 08, 2024.

tl;dr

One week, three significant data breaches. Two of Telangana police’s apps, namely HawkEye and TSCOP, as well as their SMS delivery service, were compromised and data belonging to police officers and citizens was leaked last week. In this post, we recount the events, explore why these breaches raise alarms for individual privacy, and critically analyse the state police force’s response to the data breaches.

Important documents

1. IFF's Letter to Telangana Police requesting investigation into the three breaches dated 21.06.2024. (Link)
2. IFF's video explainer on the breaches. (Link)

Background

From May 29 to June 7, 2024, apps and services run by the Telangana police suffered from three data breaches compromising personal data of Telangana residents.

1. On May 29, citizen-facing ‘community policing’ mobile application HawkEye reportedly suffered a data breach where thousands of emails and phone numbers, 1.30 lakh SOS records, 70,000 incident reports, 20,000 travel detail records (and as per some reports, location coordinates) were allegedly exposed and posted on data leak site BreachForums. Threat actor ‘Adm1nFr1end’ claimed responsibility for both breaching the app and uploading the data.
2. On June 7, the network was hit by a second breach, this time on Telangana police’s TSCOP App—which uses an integrated facial-recognition system (“FRS”) to help police officers access crime and criminal databases and match images of people taken during patrols. Exposed information reportedly includes offender records, police gun licences, police officer names, designations, and pictures, and police station affiliations. Threat actor ‘Adm1nFr1end’ claimed responsibility for this as well.
3. The same day, the Telangana police SMS service, which is a gateway for police officers to send SMS updates and awareness messages to Telangana residents, was reportedly breached. This third breach, carried out by the same threat actor, exposed police alerts and important notices, which included police personnel’s personal data and contact information. 

Three breaches of critical police infrastructure within one week is an alarming series of events that signals not only weak cybersecurity practices, but also brings to question the myriad kinds of data the Telangana police collects from residents, how it stores and shares this data, and with what objectives. Parallel investigations into these issues have also revealed concerning trends—like the possibility that the Telangana police allegedly collects visitor logs from hotels and shares them with other hotels in the name of ‘public safety’. Given the breadth and gravity of these breaches and allegations, the Telangana police’s tight-lipped responses and plainly denying allegations without evidence are not well-thought out nor enough to put the situation to rest.

This post summarises all that we know about the three breaches, the parallel probes being made by security researchers into Telangana police networks, and the police’s response to this worrying series of events. We wrote to the Telangana police flagging concerns raised in this post. IFF will additionally file Right to Information (“RTI”) requests to acquire more information on the incidents, and also write to the Telangana police bringing these issues to light and prompting stern investigation into the matter.

Why the breaches spark concern

The HawkEye breach revealed sensitive complaint and complainant data. One sample from the leaked data included a complaint filed by a woman on the app, detailing how the man who had promised to marry her was now threatening her and her family. The data breach allegedly exposed her name, mobile number, location along with the date and time of filing the complaint.

The TSCOP App breach brought to light a series of concerns. The App is integrated with FRS enabling police officers to general facial recognition reports and matches in real-time, which is made possible because the system stores large volumes of facial data belonging to suspects and criminals. At the outset, we have consistently stated the various privacy and surveillance concerns associated with facial recognition technology (“FRT”) and especially advocated for a complete ban on the use of FRT by police officers. FRT is an extremely invasive, dangerous, biassed, and inaccurate tool which poses direct threats to privacy. 

As it stands today, use of FRT or surveillance systems generally are not regulated by law in India. There are no standards, guidelines, circulars, policy documents, or office memorandum (at least in the public domain) in place to regulate the technology or certify its quality or accuracy. The  Digital Personal Data Protection Act, 2023 does not provide any safeguards against such surveillance and in fact, worsens the situation to an extent as it allows the processing of personal data for any purpose that is not expressly forbidden by law [Clause 4(2)]. Yet, police forces are increasingly becoming the largest deployers of various surveillance tools. FRS may be deployed by them in ways that can lead to misidentification, and ultimately, false convictions—to what extent this happens is unclear due to a distinct lack of transparency and disclosures around police use of FRS, which in itself is problematic.. When the Tamil Nadu FRS portal suffered a massive breach, we published an explainer on how Indian police forces use FRT and reiterated our call the #BanTheScan.

Further, the software company responsible for the development of the TSCOP App appears to have hardcoded (or embedded as plain text) the passwords of various application programming interfaces (APIs) inside the app, which was also exposed in the breach. TSCOP operates on the Crime and Criminal Tracking Network & Systems (“CCTNS”), which is a wide central network connecting police stations across the country to increase ease of access to data related to FIR registration, investigation and chargesheets in all police stations, and is further linked with the National Intelligence Grid (“NATGRID”) and the National Automated Facial Recognition System (“AFRS”). CCTNS, NATGRID, AFRS and affiliated systems currently run on vast amounts of data from criminal investigations and are able to create profiles of suspects and criminals across datasets—all without an active data protection law in place. All three projects have been flagged by privacy experts and civil society organisations as potential tools of mass surveillance (read our explainers here, here and here).

Finally, the third breach of the police SMS service poses its own unique set of risks, as exposed contact information of police officers and a state-level database of phone numbers can potentially be abused for pulling scams where hackers pose as police personnel and send targeted SMS messages to unsuspecting citizens.

Parallel probes

This slew of data breaches has prompted independent and parallel investigations on the data collection and sharing practices of the Telangana police. The most shocking of all is the allegation that Telangana police has been collecting details of every guest that checks in to a hotel in Hyderabad, which can be accessed by other hotels to effectively track or profile their guests. Company/domain ‘zebichain’ seems to be mentioned in the TSCOPS App’s code, with which such data is allegedly being shared. More worrying is the fact that this is not the first time such a possibility has come up—in 2021, the state police admitted on video that it had introduced a ‘new feature’ on TSCOP, whereby the records of hotel guests can be checked “against a list of suspects using a facial recognition system, and by matching mobile numbers.” Though this was seemingly announced as a pilot project in 2021, its present status is currently unknown. IFF will be filing RTI requests to further inquire into this massive privacy violation.

Further, Sarais Act, 1867 allows police across the country to access hotel guest logs (including guest names, address, contact) with the objective of regulating such establishments and ensuring the safety of travellers. State and local police forces, on paper, reserve the right to inspect these records to ensure compliance. The extent to which provisions of this Act are invoked by Telangana police is also unknown—IFF will be filing RTI requests to find out.

Another allegation is that TSCOPS may be seeding personal data such as the occupation, contact information, gas connection number and house address details from Telangana’s welfare distribution scheme, Samagra Vedika, as references to these details were found in TSCOP App code as well. TSCOPS is not a citizen-facing app, so these details could not have been provided by users or beneficiaries themselves. This raises questions about how or why the police forces had access to welfare benefits related data.

State’s response

The response from the police force has been unsatisfactory so far. Here is a rundown of actions taken by the police and where they fall short:

1. As of 3PM on June 12, 2024, the TSCOP website is displaying a temporary shutdown of service. The Android TSCOP App is also down (the archived webpage is here). This may be necessary to initiate an investigation and curb harm, but we are yet to see an official statement or press release from the Telangana police, owning up to the three massive data breaches and announcing the investigation (all we have at the moment are press statements). They further stated there “could be a tech lapse” in the TSCOP App data leak, but no additional details have been furnished.
2. Telangana police has explicitly denied storing hotel guests and visitors’ data on the TSCOP App and sharing it with any US-based third-party application. While this is a standard response, it is by no means adequate—the police force must initiate investigations into why such data was found in the leaked datasets, and make clear and transparent disclosures of how they invoke their powers under the Sarais Act, 1867. They must prove beyond reasonable doubt that they do not facilitate any such data collection or sharing in Telangana, especially seeing how big of a privacy violation it is.
3. The police force has started to make arrests in response to the three breaches—a 20 year old living in New Delhi was recently arrested for breaching the HawkEye App and TSCOP App. The Telangana State Cyber Security Bureau (“TSCSB”) has reportedly filed a case under the Information Technology Act, 2000 and launched probe to incriminate individuals behind the breach. However, we are yet to hear if a cyber vulnerability investigation has been initiated by TSCSB or the Indian Computer Emergency Response Team (“CERT-In”). The police force seems to be prioritising chasing threat actors instead of fixing the root cause—vulnerabilities in their digitised networks. We would like to caution the investigating authorities against outrightly disregarding claims by individuals and reporters as ‘false’ and recommend against initiating legal action against individuals and organisations covering the incident in question. The authority may deal with such claims by providing substantial evidence instead. We would urge the authorities to conduct the investigation and deal with this violation of data minimisation and purpose limitation principle as transparently and sternly as possible, so that future cases of over-broad data collection practices are discouraged. 

Cybersecurity in India

These three cases paint a worrying picture against India’s cybersecurity landscape. In recent times, India has faced a surge in cyber attacks and security threats targeting both public and private databases. A non-exhaustive list of data breaches in the country since 2020 is available on IFF’s publicly accessible database PlugTheBreach. The inadequacies of our current data protection legislation in safeguarding data privacy and empowering data principals in the event of a breach as well as the current grim state of cybersecurity in the country reveal concerning gaps and vulnerabilities. 

Despite efforts to bolster cybersecurity measures, including establishing dedicated agencies and initiatives, challenges such as insufficient resources, outdated infrastructure, and a shortage of skilled professionals persist. The recent exemption of CERT-In from the RTI, 2005 raises serious concerns about the accountability of an organisation whose actions or inaction is consequential for the status of cyber security and individual privacy in the country.

We hope that the Telangana police is able to prioritise and act swiftly to mend the existing vulnerabilities in their apps and services. In the long run, we hope this incident acts as a lesson for police forces across India to a) stop amassing sensitive personal information on unsuspecting citizens, especially in the absence of an active data protection legislation, and b) pay close attention to making their digital infrastructures airtight.

IFF wrote to the Telangana police to reiterate these concerns in detail.