Telangana Police's Hawkeye App Hacked and Lakhs of People's Data on Sale
Hyderabad: The Telangana police safety app 'Hawkeye' has been hacked, putting the personal data of lakhs of users at risk. The stolen information, which includes extremely personal data of users, is now being sold online for $200 (Rs.16,000).
The breach was discovered on May 29, when a user on a database forum opened a thread regarding user data for sale. It has been found that sensitive data such as email addresses, names, phone numbers, physical addresses, location coordinates, phone IMEI numbers, and alert coordinates of users are now available on the web. The hacker has even uploaded a sample of hundreds of people's data to prove the authenticity of the breach.
'Hawkeye' was developed to help citizens to report crimes and emergencies quickly. Hawkeye is advertised on the police website as “A part of citizen-friendly and responsive policing.”
The Hawkeye received its last update in April of 2021. That there were no updates to enhance its security or features may have contributed to the app's vulnerability. In 2023, police officials said they were working with vendors for an updated patch for the app but nothing appeared to have come out of it.
The hacker, with an intent of selling the personal data of lakhs of people, uploaded sample data from different sections of Hawkeye on the forum. In it, he mentioned that he had the data of 1.3 lakh users in SOS, 70,000 users in ‘Report a Violation’ and 20,000 users in ‘Women Travel Made Safe’ sections, totalling 2.2 lakh people.
Users are now concerned about their safety and privacy. Many who used the Hawkeye are worried about how this stolen data could be used, fearing that it could lead to identity theft, financial fraud or even physical harm if their addresses and locations become widely known.
A user on X wrote “What kind of people do they hire to build these things to show off and expose all women to danger? Absolutely shocking attitude of the department in being so casual and indifferent to safety, security and privacy.”
Cybersecurity experts have criticised the Telangana police for their lax approach to maintaining and updating Hawkeye. Kodali Srinivas, a leading cybersecurity expert, said, "They used basic authentication with Base64 encoding with a hard-coded password. It's crucial for any app, especially those dealing with sensitive personal information, to have regular updates and strong security measures. This breach shows a serious neglect in protecting user data."
“I have warned the police multiple times about the safety of the app. But the police have always been nonchalant towards my concerns. They advertised the app at traffic signals, urging women to download the app for their safety. They asked owners to enter the details of their rental tenants into the app, all while the app was having such weak security,” Srinivas added.
Despite the severity of the situation, the police seem to be showing little concern. There has been no official statement addressing the breach. When Deccan Chronicle reached out to officials, they said they could not give any information at the moment.
Many citizens are now calling for the Telangana police to take urgent steps to address the security flaws in Hawkeye and to ensure that such a breach does not happen again. Users are also demanding better communication and support from the authorities to help protect themselves from the potential misuse of their stolen data.