20-year-old Delhi student held for hacking Telangana police Hawk Eye app

The ADGP maintained that the investigation is still ongoing and is yet to ascertain if the hacker had shared only the screenshots or if there was an actual massive data breach.
Representational image
Representational image

HYDERABAD: A 20-year-old student in Delhi has been arrested for hacking the Hawk Eye application of the state police department and offering the stolen data for sale at $150 to interested buyers. A team from the Telangana Cyber Security Bureau (TGCSB) travelled to Delhi and nabbed him on Saturday.

The accused, Jatin Kumar, is also allegedly behind the data leak of TSCOP and SMS services. He has a history of cybercrimes and was arrested by the Special Cell, Dwaraka Police Station, last year in connection with a data leak regarding Aadhaar cards and critical information related to other agencies, DGP Ravi Gupta said.

Despite Jatin’s efforts to mask his identity, the TGCSB tracked him down using “social engineering techniques”, the Telangana police said. Jatin is alleged to have posted the compromised data on databreachforum. He was offering to sell it for a price of $150 USD. Interested buyers were asked to contact him through Telegram IDs Adm1nfr1end and Adm1nfr1ends to purchase the data of HawkEye and TSCOP.

Speaking to TNIE, TGCSB director Shikha Goel said, “The accused claimed to have shared the compromised data and asked for payment via crypto wallets. But as of now, we are probing if the data was sold, and if so, the details of the purchase will be collected from crypto wallets.”

Police probe to ascertain massive data breach claims

TGCSB director Shikha Goel said that the probe is ongoing and they are investigating to find if there are any accomplices involved in the case. “The investigation is currently open-ended. The first focus was to find the hacker who had breached the data,” she said and added that based on the findings, the police would widen the scope of the probe. The Telangana police are still in Delhi and will bring the accused to Hyderabad on a transit remand.

“Prima-facie, it is suspected that because of a weak/compromised password, the intruder might have obtained access to certain segments of Hawkeye data by generating a report,” police said.

Explaining this, Additional Director General of Police (Technical Services) VV Srinivas Rao said, “When the username is compromised, one can break through and enter restricted areas and then generate reports. These reports can then be saved as screenshots or PDFs.”

The ADGP maintained that the investigation is still ongoing and it is not yet ascertained if the hacker had shared only the screenshots or if there was an actual massive data breach. “Only at the end of the investigation will we know the extent of which the hacker was able to break through and the volume of the alleged data leak,” he said.

The police asserted that they have initiated comprehensive monitoring and Vulnerability Assessment & Penetration Testing (VAPT) “across all police internal and external networks, web and mobile applications, as well as cloud and endpoints to identify and address any security weaknesses, to prevent any future breach”.

Moreover, the police claimed that most of the leaked information was either stale or non-confidential. No financial data was leaked through the breach of the Hawk Eye application, the cops said.

Idea to share hotel data mooted, in 2019, but didn’t materialise

The police also refuted claims that the TSCOP collects visitor/ hotel management data. “When the state police needed such information for investigation purposes, the cops requested and fetched such data from private parties,” a senior official said.

On claims of hotel management details being shared by the police to an American firm Zebichain, police sources revealed that it is true that the company collects such data with the approval of state governments and state police departments in certain parts of the country. “An idea was mooted in Telangana too, in 2019–20. Maybe it was initially tested. However, it never materialised,” sources told TNIE.

There might have been an Android Application Package based on the initial tests. Screenshots of the guest data that are being circulated could be based on that, they said.

False claims over the change of TS to TG, case registered

Following fake information being circulated on social media, claiming that the change of nomenclature from TS to TG would result in spending thousands of crores of public money, the Hyderabad cyber crime police registered a case against those who have shared the post. The Congress workers filed a police complaint stating that such fake info was posted on the BRS official X handle. The cybercrime police registered a case and started the investigation. The social media post is yet to be taken down from the X handle of the BRS.

Related Stories

No stories found.

The New Indian Express