A massive data leak during the elections in India exposed the biometric information of millions. An unsecured database containing fingerprints and facial scans of police, military personnel, and civilians was leaked, sparking concerns about identity theft and election security.
A gigantic data leak involving the exposure of biometric data has hit Indian citizens at a time when the nation is participating in the general elections. The data leak raises questions about the vulnerable state of cybersecurity in India when researchers have already reported cyber attacks and data leaks to target elections
In the latest, a misconfigured non-password-protected database containing over 1.6 million documents was discovered by cybersecurity researcher Jeremiah Fowler who reported it to Website Planet.
The exposed files, around 1,661,59 files (496.4 GB) in total, contained sensitive biometric details like facial scan images, fingerprints, signatures, and identifying marks of police officers, military personnel, teachers, and even railway workers.
Moreover, crucial information like birth certificates, images, email addresses, employment applications, diplomas, certifications, and other education-related files were part of the exposed data.
The database comprised records from 2021-2024. Around 284,535 documents, categorized as Physical Efficiency Tests (PET) for police and law enforcement officers, contained signature images, PDF documents, mobile applications, and installation data, some stored in compressed .zip format.
One of the folders titled Facial Software Installation contained images and documents captured and transmitted through the application. Internal database names, login, and password information were also found in plain text.
ThoughtGreen Technologies and Timing Technologies
The records belonged to two separate India-based firms, ThoughtGreen Technologies and Timing Technologies. Both provide application development, RFID technology, and biometric verification services. It is unclear who among these firms owned the server, though.
Public access to this database was restricted the same day. However, the duration of the database’s exposure and potential unauthorized access to the biometric records remain unknown. An internal forensic audit can determine if any suspicious activity took place and whether the records were accessed by anyone else.
Data Being Sold on Telegram
In a research report shared with Hackread.com ahead of publishing on May 23, 2024, Fowler noted that this data might already be up for sale on a Telegram group, which could put millions at risk of a wide range of threats.
Biometric data, such as fingerprints, are unique identifiers tied to an individual’s identity, making them virtually impossible to change. This data could be used for numerous malicious purposes, including impersonation and identity theft.
A Wake-Up Call?
This data leak shows the ethical and regulatory challenges surrounding the collection, use, and storage of biometric data. India passed a law in 2022 extending police powers to collect biometric data from convicted, arrested, or detained individuals.
This incident is a wake-up call for governments and private firms, emphasizing the need for stronger data security practices and clear regulations to protect the privacy and security of citizens.
RELATED TOPICS
- Threat Actors Selling 1.8TB Database of Indian Mobile Users
- Top ERP Firm Exposing Half a Million Indian Job Seekers Data
- Hacker Leaks 73M Records from Indian HDFC Bank Subsidiary
- Hundreds of Indians Rescued from Cambodian Cybercrime Gangs
- Indian ISP Hathway Data Breach: Hacker Leaks 4M Users, KYC Data