HYDERABAD: Just a week after the hacking incident involving Telangana police‘s HawkEye app, another app, TSCOP, has been compromised as well. As a result, police-related data is currently available for sale on online forums. The same hacker responsible for the breach of HawkEye is behind this security lapse. The TSCOP app user data is being sold online for $120.Launched in 2018, TSCOP was intended for internal use by Telangana police, primarily to provide instant information to aid in crime-solving.
Data security researcher Srinivas Kodali said, “Someone hacked entire TelanganaCOPs network including TSCOP, their facial recognition setup.” Kodali further explained that it was easy for the hacker because the software company, WINC IT Services, embedded passwords as plain text inside the TSCOP app, which also connects to the Crime and Criminal Tracking Network & Systems (CCTNS).
In just one week, Telangana police experienced three major data leaks, all attributed to the same hacker: the TSCOP app data leak, Telangana police SMS service portal breach, and the HawkEye app data leak.
The TSCOP app enables police officers to access crime and criminal databases and match images of people taken during patrols. The state has also built a comprehensive ‘360-degree view of every citizen’ database. Moreover, the app features an integrated facial-recognition system (FRS), allowing police to identify criminals, unknown bodies at crime scenes, or even missing children.
The hacker has posted sample data on forums to entice buyers, showcasing details such as offender records, police gun licenses, and other law enforcement information. User information, including officer names, police station affiliations, designations, and images, is now available for purchase online, with hundreds of police officers’ details listed as “samples.”
Notably, the TSCOP app had previously been recognized by the National Crime Records Bureau (NCRB) with an award in 2017 under the “Empowering Police with Information Technology” category.
Kodali offered some advice to the police, stating, “Telangana police should use a longer password with alphabets, numericals, capitals and symbols. But don’t forget to hardcode the entire passwords in your apps. Also please use HTTP only.”
Recently, a data breach involving the HawkEye app, designed for Telangana police, was reported on BreachForums, a well-known marketplace for stolen data. Threat actors claimed that thousands of emails, phone numbers, SOS calls from women, and other details had been leaked. The Telangana State Cyber Security Bureau has registered a case under the IT Act and begun an investigation.
“We have registered a case and investigating the hacking allegations and suspected breach,” additional director-general (DG) (CID) Shika Goel told TOI.
On the forum, the threat actors claimed that the leaked data included names, email addresses, phone numbers, and locations of over 200,000 users. A threat actor, known as ‘Adm1nFr1end’, claimed on May 29 on BreachForums that the breached database includes 130,000 SOS records, 70,000 incident reports, and 20,000 travel detail records.
The HawkEye app, launched by Telangana police in 2014, allows the public to report violations, tip off police, and report crimes against women. It features an SOS button for emergency assistance, requiring users to share personal details like their name, email ID, and mobile number.
Sample of the leaked data included a complaint filed by a woman on the HawkEye app. She detailed how a man, who had promised to marry her, was now threatening her and her family. The data leak exposed her name, mobile number, location, and the date and time of the complaint.
Data security researcher Srinivas Kodali said, “Someone hacked entire TelanganaCOPs network including TSCOP, their facial recognition setup.” Kodali further explained that it was easy for the hacker because the software company, WINC IT Services, embedded passwords as plain text inside the TSCOP app, which also connects to the Crime and Criminal Tracking Network & Systems (CCTNS).
In just one week, Telangana police experienced three major data leaks, all attributed to the same hacker: the TSCOP app data leak, Telangana police SMS service portal breach, and the HawkEye app data leak.
The TSCOP app enables police officers to access crime and criminal databases and match images of people taken during patrols. The state has also built a comprehensive ‘360-degree view of every citizen’ database. Moreover, the app features an integrated facial-recognition system (FRS), allowing police to identify criminals, unknown bodies at crime scenes, or even missing children.
The hacker has posted sample data on forums to entice buyers, showcasing details such as offender records, police gun licenses, and other law enforcement information. User information, including officer names, police station affiliations, designations, and images, is now available for purchase online, with hundreds of police officers’ details listed as “samples.”
Notably, the TSCOP app had previously been recognized by the National Crime Records Bureau (NCRB) with an award in 2017 under the “Empowering Police with Information Technology” category.
Kodali offered some advice to the police, stating, “Telangana police should use a longer password with alphabets, numericals, capitals and symbols. But don’t forget to hardcode the entire passwords in your apps. Also please use HTTP only.”
Recently, a data breach involving the HawkEye app, designed for Telangana police, was reported on BreachForums, a well-known marketplace for stolen data. Threat actors claimed that thousands of emails, phone numbers, SOS calls from women, and other details had been leaked. The Telangana State Cyber Security Bureau has registered a case under the IT Act and begun an investigation.
“We have registered a case and investigating the hacking allegations and suspected breach,” additional director-general (DG) (CID) Shika Goel told TOI.
On the forum, the threat actors claimed that the leaked data included names, email addresses, phone numbers, and locations of over 200,000 users. A threat actor, known as ‘Adm1nFr1end’, claimed on May 29 on BreachForums that the breached database includes 130,000 SOS records, 70,000 incident reports, and 20,000 travel detail records.
The HawkEye app, launched by Telangana police in 2014, allows the public to report violations, tip off police, and report crimes against women. It features an SOS button for emergency assistance, requiring users to share personal details like their name, email ID, and mobile number.
Sample of the leaked data included a complaint filed by a woman on the HawkEye app. She detailed how a man, who had promised to marry her, was now threatening her and her family. The data leak exposed her name, mobile number, location, and the date and time of the complaint.