Facial Recognition Software of Tamil Nadu Police hacked, data offered for sale

The Facial Recognition Software (FRS) portal of the Tamil Nadu police has been hacked, compromising the personal data of individuals in its database. Tamil Nadu is the southernmost state in India, and is the tenth largest Indian state by area and the sixth largest by population.

The FRS portal, launched in October 2021, holds over 6 million records, including:

• photographs,
• names,
• FIR numbers,
• police officer details.

This platform is used by more than 46,000 police officers statewide to identify and track individuals. The breach was discovered when Falconfeeds.io, a cybersecurity monitoring platform, reported that samples from the FRS database were listed for sale on the dark web.

The hacker, identified as "Valerie," accessed the system using the credentials of a sub-inspector. They posted a facial recognition report sample from a Basin Bridge police station constable, revealing the top 20 matches. Although the hacker had limited access, they could verify whether individuals were involved in crime cases by forwarding their photos. The database is linked to the backend Crime and Criminal Tracking Network & Systems (CCTNS) to identify suspects.

The State Crime Records Bureau (SCRB) and the Centre for Development of Advanced Computing (CDAC) are assessing the breach's severity. Initial investigations revealed that an admin account's password was compromised.

Although this account could only view frontend data, it could create user IDs and perform query searches. As a preventive measure, the admin account has been deactivated, and the Tamil Nadu police communicated with relevant agencies.

No details are available about the number of affected individuals.

Update - Over 800,000 lines of data, including information of over 50,000 persons were exposed in the data breach.