Recently, a significant data breach compromised the personal information of thousands of law enforcement officials and police officer applicants in India. Discovered by security researcher Jeremiah Fowler, the breach exposed sensitive details such as fingerprints, facial scans, signatures, and descriptions of tattoos and scars. Alarmingly, around the same time, cybercriminals advertised the sale of similar biometric data on Telegram.
The breach was traced to an exposed web server linked to ThoughtGreen Technologies, an IT firm with offices in India, Australia, and the United States. Fowler found nearly 500 gigabytes of data, encompassing 1.6 million documents dating from 2021 to early April. This data included personal information about various professionals, including teachers, railway workers, and law enforcement officials. Among the documents were birth certificates, diplomas, and job applications.
Although the server has been secured, the incident highlights the risks of collecting and storing biometric data and the potential misuse if leaked.
“You can change your name, you can change your bank information, but you can't change your actual biometrics,” Fowler noted. This data, if accessed by cybercriminals, poses a long-term risk, especially for individuals in sensitive law enforcement roles.
Prateek Waghre, executive director of the Internet Freedom Foundation, emphasized the extensive biometric data collection in India and the heightened security risks for law enforcement personnel.
If compromised, such data can be misused to gain unauthorized access to sensitive information.
Fowler also found a Telegram channel advertising the sale of Indian police data, including specific individuals’ information, shortly after the database was secured. The structure and screenshots of the data matched what Fowler had seen. For ethical reasons, he did not purchase the data, so he could not fully verify its authenticity.
In response, ThoughtGreen Technologies stated, “We take data security very seriously and have taken immediate steps to secure the exposed data.”
They assured a thorough investigation to prevent future incidents but did not provide specific details. The company also reported the breach to Indian law enforcement but did not specify which organization was contacted. When shown a screenshot of the Telegram post, the company claimed it was “not our data.” Telegram did not respond to requests for comment.
Shivangi Narayan, an independent researcher, stressed the need for more robust data protection laws and better data handling practices by companies. Data breaches are so frequent that they no longer shock people, as evidenced by a recent face-recognition data breach involving an Indian police force.
Globally, as governments and organizations increasingly use biometric data for identity verification and surveillance, the risk of data leaks and abuse rises. For example, a recent face recognition leak in Australia affected up to a million people and led to a blackmail charge.
It also has to be noted that many countries are looking at biometric verification for identities, and all of that information has to be stored somewhere. If they decide to farm it out to a third-party company, they lose control of that data.