Hyderabad: In contrast to the Telangana director general of police’s claim, the state police’s TSCOP application is collecting data of people checking into hotels in Hyderabad. This aspect of the police app was exposed last week after data security researcher Srinivas Kodali found it during a data breach (and leak) of the Telangana police. All of the data that that was breached by a hacker was sold online.
The entire episode began last week after it was found that data from the Telangana police’s citizen-service Hawkeye application was first found to be leaked. It was followed by the revelation that more data from the Telangana police’s network including TSCOP, was hacked into and leaked online. The hacker, identified as Jatin Kumar, a native of Jhansi, Uttar Pradesh, was arrested by the Telangana Cyber Security Bureau (TSCSB) on June 8, said state DGP Ravi Gupta on Sunday, June 9.
The Telangana DGP also maintained that no data was compromised, even though security experts said that public data was compromised as it was being sold. Against the claim that the TSCOP app does not collect citizen data from hotels, Kodali exposed it by putting up a screenshot and a video from 2021 that was uploaded online in which it can be seen that information of people who check into hotels is being collected by the police.
It is not certain under what law personal details of citizens checking into hotels can be collected. The issue, according to activists who did not want to be named, said that infringes the privacy rights of individuals.
A day earlier, the Telangana DGP stated that the police’s Hawkeye mobile application only retains user information such as mobile numbers, addresses, and email IDs as part of its data repository. “Prima-facie, it is suspected that because of a weak / compromised password, the intruder might have obtained access to certain segments of Hawkeye data by generating a report,” he said in a press release.
About the TSCOP app, the Telangana DGP said it is utilized for in-house tasks, “guaranteeing no collection of confidential/financial user data”. He also categorically denied Kodali’s statement that the police is collecting information of people checking into hotels. “It is a fact that TSCOP does not collect any Visitor / Hotel Management Data, at all. Hence, it is absolutely incorrect to say that TSCOP pushed / gave such Data to any third party. Therefore, certain related media reports that appeared in newspapers are denied,” he added.
However, it is to be seen how the police now reacts after it has been shown that such data is being collected.
What the hacker breached from the Telangana police’s network
A preview of the data was shared on BreachForums, a platform where stolen data is sold to cyber criminals. Sensitive details of criminal records, and various law enforcement details, including names, ranks and images of Telangana police officials were up for sale on the platform.
The HawkEye data leaked also comprised SOS calls from women, names, emails, phone numbers, locations and other sensitive information of over 2,00,000 users. The Telangana police data leak of TSCOP also reflects that Aadhaar data collected by the government of Telangana under a household survey was illegally shared with the Telangana Police, which was also leaked online.
