HYDERABAD: The Telangana State (TS) COP app data has been compromised due to an alleged breach within a week after department’s HawkEye was reportedly hacked. The data from the Telangana police SMS service portal is also said to have been leaked.
Following this, the police have registered a case under the IT Act. TCSB ADG Shikha Goel told TNIE that the police were trying to find out the identity of the hacker. “As all the cases are related to a similar nature, we have registered one case under the IT Act and we are investigating the hacking allegations and data breach.”
Claimed to be the first-of-its-kind crime detection tool in the country, the app, launched in 2018, is enabled with the face recognition system (FRS). Linked with the TSCOP app, it allows multiple wings of police such ACB, CCS, CID among others to scan a suspect’s face from anywhere within the criminal database.
Additionally, it assists them in verifying unknown bodies and missing people. It is also used by the cops for internal matters such as access to criminal database. Through it, the cops can also match images of people.
Srinivas Kodali, a data researcher and activist, said that the entire Telangana COP network was hacked and posted a photo of the threat actor operating by the screen name of ‘Adm1nFr1end’ who claimed to upload all the data of TSCOP on the data leak website BreachForum.
Speaking to TNIE, Kodali claimed that it was an easy job because the company that built this software, WINC IT Services, embedded passwords as plain text.
“They probably have no background in software development. Their website shows they have been supplying software to Telangana police and have carried out multiple projects. Their website is defunct at the moment. If you reverse engineer their app code, it has the passwords of all their systems embedded in it. It is like using plain text passwords without any security layers. These are bad security practices,” said Kodali.
Meanwhile, to entice the buyers, the hacker reportedly posted the sample data on the platforms, including records of offenders, police gun licenses, and other law enforcement information. Information about police officers, police stations, designations, and images was also made available online for purchase.
“The motive is not just to show that the system is hacked but also to make profit. That is usually the motive of hackers,” Kodali said. He suggested that the police should keep auditing their systems and have better security practises.
Notably, in 2017, the TSCOP was presented the ‘Empowering Police with Information Technology’ award by the National Crime Records Bureau (NCRB). On May 29, the threat actor took to BreachForums, claiming that the HawkEye database was breached. The hacker attached sample records of over 1.30 lakh SOS records, including 20,000 travel records of the users. Personal data like names, phone numbers, email addresses, and their location coordinates were disclosed on the dark web.
The HawkEye app was launched by the Hyderabad police in December 2014 as a citizen-friendly initiative. As the name suggests, it enables the public to participate in community policing, allows users to report a traffic violation or crime against women, has safety features for women’s travel, and has an SOS button for those in distress.
It was integrated with the the Crime and Criminal Tracking Network and Systems (CCTNS) along with other apps after it was taken over by the state police around 2021. Some of the reported data leak sample from the HawkEye included a complaint filed by a woman where she detailed about a man, who had promised to marry her, was then threatening her and her family. Over the breach of the app, Kodali called out the state police for not hiring proper developers and, as a result, putting the privacy of several thousand users at risk.
Claimed to be the first-of-its kind, the app, launched in 2018, is enabled with the face recognition system (FRS). Linked with the TSCOP app, it allows multiple wings of police such ACB, CCS, CID among others to scan a suspect’s face from anywhere within the criminal database
