1. Website Planet
  2. >
  3. News
  4. >
  5. Indian Military & Police Biometrics Exposed in Data Breach
Indian Military & Police Biometrics Exposed in Data Breach

Indian Military & Police Biometrics Exposed in Data Breach

Jeremiah Fowler May 23, 2024
May 23, 2024
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained over 1.6 million documents belonging to an Indian leading provider of biometric authentication solutions, with offices in the USA and Australia. The exposed records included the biometric identity information of members of the police, army, teachers, and railway workers. In parallel, it appeared that the data might have been for sale on a dark web related Telegram group. 

The publicly exposed database contained 1,661,593 documents with a total size of 496.4 GB. I saw documents containing: facial scan images, finger prints, signatures (in English and Hindi), identifying marks such as tattoos or scars, and much more. There were also scans of documents such as birth certificates, testing and employment applications, diplomas, certifications, and other education related files. Among the most concerning files were what appeared to be the biometric data of individuals from the police and military in verification documents. Upon further investigation, I saw documents indicating the records belonged to two separate entities which suggests they operate under the same ownership: ThoughtGreen Technologies and Timing Technologies, each of which provide application development, analytics, development outsourcing, RFID technology, and biometric verification services. According to their websites, they have offices in the United States, Australia, and India. I immediately sent a responsible disclosure notice to the contact details indicated for both companies, and public access to the database was restricted the same day. I did not receive any reply, and it is not known how long the database was exposed or if anyone else may have had access to the biometric records. Only an internal forensic audit would identify any suspicious activity and whether the records were accessed by anyone else. It’s not clear exactly who owned the server, despite the data appearing to be owned by either or both companies.

According to a job listing description of the company: Timing Technologies India has expertise in RFID Biometric Facial Recognition and other IT Solutions, among others involving physical tests, for Recruitment of Army, Police and Railway organizations of India.

The records span from 2021-2024 and were actively updating in real time during my research. There were 284,535 documents marked as Physical Efficiency Test (PET) for police and law enforcement officers. The database also stored images of 143,173 signatures and a very large number of .PDF documents that contained the name, images, and fingerprints of multiple individuals. I saw numerous files featuring the biometric data of individuals who appeared to be high-ranking military personnel. The database also contained several mobile applications and installation files compressed in .zip format. One folder was titled “Facial Software Installation” and other folders stored images and documents presumably captured and transmitted through the application. I also saw documents that contained internal database names, login, and password information in plain text. 

Publicly exposed biometric data can pose far more potential risks than other types of personal information due to its inclusion of identifiers (such as fingerprints and facial features) that do not change throughout a person’s lifetime.

Biometric Data of Police, Military, and Railway Workers Compromised

Exposing the biometric data of police officers, military personnel, and railway workers raises serious concerns about potential security threats and privacy violations. The exposed database contained a wealth of sensitive information that is necessary for verifying the identities of individuals and preventing impersonation. However, in the wrong hands, this information could potentially be used for malicious purposes. 

For example, a criminal could use the exposed data to impersonate another individual — in this case, it could be someone who works in law enforcement or the army, which could lead to possible national security concerns. Hypothetically, a criminal could replace the image, fingerprint, and other data inside the database with those of an impersonator, who would then pass the biometric identity test as the face and prints match those in the exposed database. 

Another potential risk is identity theft. Biometric data, such as fingerprints and facial recognition scans, are unique identifiers tied to an individual’s identity. Passwords, credit card numbers, contact details, and other identifiers can be easily changed if compromised, while biometric data is permanent and is virtually impossible to change. Potentially affected individuals could have numerous long-term identity risks over their exposed biometric information. I am not saying this information was at risk or accessed by cyber criminals and I am only providing real-world hypothetical risk scenarios. 

This data breach raises serious concerns regarding data security and underscores the broader ethical and regulatory challenges surrounding the collection, use, and storage of biometric data. In 2022, India passed a law giving police extensive powers to collect biometric data from people who have been convicted, arrested, or detained. In this case, these were not criminals or suspects who had their biometric data collected, but instead individuals who were in the police, in the army, teachers, and railway employees. While biometric authentication offers many advantages in terms of security and convenience, it also poses significant risks to privacy and civil liberties. 

Additionally, I saw multiple folders containing application and development files in the database. Exposed application files pose an additional threat of unauthorized access. Malicious actors could compromise and alter files used by the application to inject malware or other malicious code. This would allow deeper access to sensitive user information, including personal details, login credentials, and other data on the device where the application is installed. The consequences of a data breach involving application and development files highlights the critical importance for companies, contractors, or government agencies that use biometric software applications to prioritize cybersecurity and restrict unauthorized access to sensitive data. This includes files transmitted and stored by applications, including documents that contain source code or development files. 

As an ethical cyber security researcher, I never download the data I discover and only take a limited number of screenshots for verification purposes. I also never bypass security or use exposed login credentials. I am not implying any wrongdoing by Thoughtgreen Technologies Pvt Ltd, Timing Technologies India Pvt Ltd, their employees, clients, affiliates, or possible third parties. I also do not claim there is any risk to the biometric data of their clients, customers, or users of their services. It is also not known if anyone else accessed the database or how long it was publicly accessible, as only an internal forensic audit would identify any additional and/or unauthorized access. However, it should be noted that nearly a month later I saw a dark web related Telegram channel selling data that appeared to be related to my discovery. Although, I did not analyze the data being offered for sale and can not confirm it is the same dataset. I can say the samples and structure posted by cyber criminals is consistent with the exposed database that I saw.

Rate this Article
4.7 Voted by 3 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Reply
View %s replies
View %s reply
More news
Show more
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

1 < 1 1

Or review us on 1

3327643
50
5000
97145266