Massive India Data Breach Exposes Millions of Biometric Records

A massive data breach in India has exposed the biometric data of millions of citizens. An unsecured database containing fingerprints and facial scans of police, military personnel, and civilians was discovered during the general elections, raising serious concerns about identity theft and election security.

According to cybersecurity expert Jeremiah Fowler, the unsecured database, containing over 1.6 million documents (totaling 496.4 GB), was discovered by Website Planet. The leaked files included photographs, fingerprints, signatures, and identification tags of police officers, military personnel, teachers, and railway workers.

In addition to biometric data, the breach included critical documents such as birth certificates, email addresses, job applications, diplomas, and other confidential files.

Notably, 284,535 documents related to physical fitness tests (PET) for police and law enforcement personnel were highlighted. These files contained images of signatures, PDF documents, and special mobile applications, some of which were packaged in ZIP archives.

One folder, named “Facial Software Installation,” contained images and documents transmitted through the aforementioned applications. The breach also exposed internal database names, logins, and passwords in plain text.

Most of the leaked data belonged to two Indian companies: ThoughtGreen Technologies and Timing Technologies. Both firms provide application development, RFID technology, and biometric verification services. However, it remains unclear which company owned the compromised server.

Experts note that the leaked information could already be for sale among malicious actors, putting millions of people at risk of targeted cyberattacks.

Biometric data, such as fingerprints, are unique identifiers tied to an individual’s identity and are nearly impossible to alter. These data can be used for numerous malicious purposes, including identity fraud and personal data theft.

It is noteworthy that in 2022, India passed a law expanding the police’s authority to collect biometric data from convicted, arrested, or detained individuals. However, few could have anticipated that these data would be leaked, compromising even the biometrics of police and military personnel.

This incident underscores the ethical and regulatory challenges associated with the collection, use, and storage of biometric data. It serves as a stark reminder to governments and private companies of the severe consequences of even minor lapses in data security.