Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained over 1.6 million documents belonging to an Indian leading provider of biometric authentication solutions, with offices in the USA and Australia. The exposed records included the biometric identity information of members of the police, army, teachers, and railway workers. In parallel, it appeared that the data might have been for sale on a dark web related Telegram group.
The publicly exposed database contained 1,661,593 documents with a total size of 496.4 GB. I saw documents containing: facial scan images, finger prints, signatures (in English and Hindi), identifying marks such as tattoos or scars, and much more. There were also scans of documents such as birth certificates, testing and employment applications, diplomas, certifications, and other education related files. Among the most concerning files were what appeared to be the biometric data of individuals from the police and military in verification documents. Upon further investigation, I saw documents indicating the records belonged to two separate entities which suggests they operate under the same ownership: ThoughtGreen Technologies and Timing Technologies, each of which provide application development, analytics, development outsourcing, RFID technology, and biometric verification services. According to their websites, they have offices in the United States, Australia, and India. I immediately sent a responsible disclosure notice to the contact details indicated for both companies, and public access to the database was restricted the same day. I did not receive any reply, and it is not known how long the database was exposed or if anyone else may have had access to the biometric records. Only an internal forensic audit would identify any suspicious activity and whether the records were accessed by anyone else. It’s not clear exactly who owned the server, despite the data appearing to be owned by either or both companies.
According to a job listing description of the company: Timing Technologies India has expertise in RFID Biometric Facial Recognition and other IT Solutions, among others involving physical tests, for Recruitment of Army, Police and Railway organizations of India.The records span from 2021-2024 and were actively updating in real time during my research. There were 284,535 documents marked as Physical Efficiency Test (PET) for police and law enforcement officers. The database also stored images of 143,173 signatures and a very large number of .PDF documents that contained the name, images, and fingerprints of multiple individuals. I saw numerous files featuring the biometric data of individuals who appeared to be high-ranking military personnel. The database also contained several mobile applications and installation files compressed in .zip format. One folder was titled “Facial Software Installation” and other folders stored images and documents presumably captured and transmitted through the application. I also saw documents that contained internal database names, login, and password information in plain text.
Publicly exposed biometric data can pose far more potential risks than other types of personal information due to its inclusion of identifiers (such as fingerprints and facial features) that do not change throughout a person’s lifetime.
This screenshot shows police recruitment documents containing names, ID card number, signature images, details about identifying marks on their bodies, and other PII.
This screenshot shows a state-level police application form with PII, email and phone contacts, images of the applicant, and more.
This screenshot shows what appears to be senior police or military officers who have had their biometric data used for identity verification for an exam, review, or promotion.
This screenshot shows a document containing the names and fingerprints of individuals from the National Institute of Technical Teachers Training & Research.
This screenshot shows how the folders appeared inside the exposed database. Folders indicating facial recognition application, images, and biometric data separated by males and females.
This screenshot shows database administrative credentials including a username and password exposed in the code of one of the files.
This screenshot shows a darkweb affiliated Telegram channel selling data and includes sample accounts of police employees for verification. This could be the same dataset that was publicly exposed. The data posted for sale was identified nearly a month after my responsible disclosure notice and the database was secured.❮❯
Biometric Data of Police, Military, and Railway Workers Compromised
Exposing the biometric data of police officers, military personnel, and railway workers raises serious concerns about potential security threats and privacy violations. The exposed database contained a wealth of sensitive information that is necessary for verifying the identities of individuals and preventing impersonation. However, in the wrong hands, this information could potentially be used for malicious purposes. For example, a criminal could use the exposed data to impersonate another individual — in this case, it could be someone who works in law enforcement or the army, which could lead to possible national security concerns. Hypothetically, a criminal could replace the image, fingerprint, and other data inside the database with those of an impersonator, who would then pass the biometric identity test as the face and prints match those in the exposed database. Another potential risk is identity theft. Biometric data, such as fingerprints and facial recognition scans, are unique identifiers tied to an individual’s identity. Passwords, credit card numbers, contact details, and other identifiers can be easily changed if compromised, while biometric data is permanent and is virtually impossible to change. Potentially affected individuals could have numerous long-term identity risks over their exposed biometric information. I am not saying this information was at risk or accessed by cyber criminals and I am only providing real-world hypothetical risk scenarios. This data breach raises serious concerns regarding data security and underscores the broader ethical and regulatory challenges surrounding the collection, use, and storage of biometric data. In 2022, India passed a law giving police extensive powers to collect biometric data from people who have been convicted, arrested, or detained. In this case, these were not criminals or suspects who had their biometric data collected, but instead individuals who were in the police, in the army, teachers, and railway employees. While biometric authentication offers many advantages in terms of security and convenience, it also poses significant risks to privacy and civil liberties. Additionally, I saw multiple folders containing application and development files in the database. Exposed application files pose an additional threat of unauthorized access. Malicious actors could compromise and alter files used by the application to inject malware or other malicious code. This would allow deeper access to sensitive user information, including personal details, login credentials, and other data on the device where the application is installed. The consequences of a data breach involving application and development files highlights the critical importance for companies, contractors, or government agencies that use biometric software applications to prioritize cybersecurity and restrict unauthorized access to sensitive data. This includes files transmitted and stored by applications, including documents that contain source code or development files. As an ethical cyber security researcher, I never download the data I discover and only take a limited number of screenshots for verification purposes. I also never bypass security or use exposed login credentials. I am not implying any wrongdoing by Thoughtgreen Technologies Pvt Ltd, Timing Technologies India Pvt Ltd, their employees, clients, affiliates, or possible third parties. I also do not claim there is any risk to the biometric data of their clients, customers, or users of their services. It is also not known if anyone else accessed the database or how long it was publicly accessible, as only an internal forensic audit would identify any additional and/or unauthorized access. However, it should be noted that nearly a month later I saw a dark web related Telegram channel selling data that appeared to be related to my discovery. Although, I did not analyze the data being offered for sale and can not confirm it is the same dataset. I can say the samples and structure posted by cyber criminals is consistent with the exposed database that I saw.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
