Personal information of thousands of law enforcement officials and people applying to be police officers in India has been leaked online, including fingerprints, images of facial scans, signatures and details of tattoos and scars on their bodies. If this wasn’t alarming enough, around the same time, cybercriminals began advertising the sale of similar biometric police data from India on the Telegram messaging app.
Last month, security researcher Jeremiah Fowler discovered the sensitive files on an exposed web server linked to ThoughtGreen Technologies, an IT development and outsourcing company with offices in India, Australia and the United States. Within a total of nearly 500 gigabytes of data spanning 1.6 million documents, dated from 2021 until Fowler discovered them in early April, was a mine of sensitive personal information about teachers, railroad workers and law enforcement officers. Included were birth certificates, diplomas, education certificates, and job applications.
Fowler, who shared his findings exclusively with WIRED, says that among the wealth of information, the most concerning were those that appeared to be verification documents linked to Indian law enforcement or military personnel. While the misconfigured server has since been shut down, the incident highlights the risks of companies collecting and storing biometric data, such as fingerprints and facial images, and how it could be misused if the data is accidentally leaked.
“You can change your name, you can change your banking information, but you can’t change your actual biometrics,” Fowler says. The researcher, who also published the findings on behalf of Website Planetsays this type of data could be used by cybercriminals or scammers to target people in the future, a risk that increases for sensitive law enforcement positions.
Within the database Fowler examined were several mobile applications and installation files. One was titled “facial software installation” and a separate folder contained 8 GB of facial data. The photographs of people’s faces included computer-generated rectangles that are often used to measure the distance between points on the face in facial recognition systems.
There were 284,535 documents labeled Physical Efficiency Tests related to police personnel, Fowler says. Other files included job application forms for law enforcement officers, profile photographs and identification documents with details such as “mole on nose” and “cut on chin.” At least one image shows a person holding a document with a corresponding photo included in it. “The first thing I saw was thousands and thousands of fingerprints,” Fowler says.
Prateek Waghre, executive director of the Indian digital rights organization Internet Freedom Foundation, says there are “huge” Biometric information collection happening all over India, but there are additional security risks for people involved in law enforcement. “Many times, the verification used by government employees or officials is also based on biometric systems,” says Waghre. “If that’s potentially compromised, you’re in a position where someone can misuse it and then gain access to information that they shouldn’t.”
It appears that some biometric information about law enforcement officials may already be shared online. Fowler says that after the exposed database was shut down, he also discovered a Telegram channel, containing a few hundred members, that claimed to sell Indian police data, including on specific individuals. “The structure, screenshots and a couple of folder names matched what I saw,” says Fowler, who for ethical reasons did not buy the data sold by the criminals, so he could not fully verify that they were exactly the same data.
