Telangana police take down TSCOP after breach — but questions galore on data cops keep

“Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise, we’ll be back online shortly,” a message on the website read.

Personal data on dark web

The HawkEye app, which was launched by the Hyderabad City Police in December 2014, allows citizens to report crimes they witness.

The message on TSCOP app. (Screengrab)

Data from the app was hacked on 29 May and the hacker uploaded names, contact numbers, and locations of people using the app on the dark web.

In T Safe app — launched for women if they wanted to be tracked by the police while travelling — data is supposed to be deleted after the woman completes her travel. But, what concerns the experts is that the data hasn’t been deleted and hackers have posted samples of it on the dark web. 

Director General of Police Ravi Gupta speaking to South First said, “It is a small data leak and we are investigating it.”

However, police officials did not respond to questions on why data of people checking into hotels were allegedly collected by cops.

Also Read: Congress’ poor show in Telangana Lok Sabha polls: Did BJP beat the party in appropriating BRS votes?

How was the app hacked?

Explaining the hacking, Srinivas Kodali, a data researcher and an activist told South First: “I have tweeted with the screenshots that Telangana COP network has been hacked easily because the company has hardcoded (embedded passwords as plain text).”

“The operator, Adm1nFriend, claimed to have uploaded all data on the website BreachForum. The app developers are not qualified and there are no security audits for websites or apps launched by Telangana police, making it easy for the apps to be hacked,” he said.

Kodali also also questioned the Telangana police keeping everyone’s 360-degree profile. “Why should it be with them,” he asked.

“The IT Department of Telangana, using Samagraha Kutumba Survey, illegally collected data through Aadhaar-based profiles,” the expert alleged.

“The police can only have limited access to data such as passports, and criminals’ data. However, it is found out that individuals’ photos from hall-tickets for examinations are also used by the police for facial recognition,” he explained.

Anyone who breached the @TelanganaCOPs can get access to entire 360 degree profile of anyone in Telangana. The IT Department of Telangana which illegally created these Aadhaar based profiles using Samagraha Kutumba Survey has shared all data to the police. pic.twitter.com/kBD9qIYVjD

— Srinivas Kodali (@digitaldutta) June 7, 2024

Concerns over data misuse

Kodali further elaborated that the screenshots he shared on X have the code and details of people who checked into any hotel in the state and questioned why that data was readily available to the police.

“Data retention policy says that data collected via the recently launched T SAFE app should be deleted after the purpose of collecting the data is complete. But the data is not being deleted and it violates a person’s privacy,” he added.

He expressed concern over the possible misuse of the undeleted data.

Kodali further questioned the purpose of the TSCOP website and lack of audit after an application was launched. He recommended regular audits and better security checks.

The hackers have posted sample data on widely known dark web sites to entice buyers, according to technical experts. Interestingly, TSCOP was awarded for ‘Empowering Police with Information Technology’ by the National Crime Records Bureau (NCRB) in 2017.

(Edited by Neena)