In a major privacy breach, Tamil Nadu police’s Madurai unit’s database of thousands of ‘suspected criminals’ was made public without its knowledge. The database included names and photographs of the people under the scanner.
The leaked data also included OTP codes, administrator password and details of the police officers using the app. The database was found by security researchers Robert Baptiste, also known as Elliot Alderson, and Oliver Hough. The duo took to Twitter to report the data breach.
The Tamil Nadu police used CopsEye, designed by Madurai-based startup Geomeo Informatics, to enable a facial recognition security system. The system was adopted by Madurai police in June this year.
The app allowed the police to take photos of people suspected to be involved in criminal activities. Cops Eye would automatically scan the previous criminal records to make investigations of the suspects easy.
Security researcher Hough alleged that the database included 4900 ‘wanted’ people and had 7.5 K images. He accused the app of storing all the images, even if it wasn’t a match. The app was allegedly left unsecured despite the company receiving a warning from Google-owned Firebase, which is a database company.
The database was pulled off the internet from public views. The app has been taken off Google play on Thursday as well.
A spokesperson of Geomeo Informatics, in a press statement, said that the app was running its demo version with dummy database. The developers of the company were using the dummy database to launch the app in another district of Tamil Nadu.
“The photos and names are from a test set, they may not necessarily be exact matches. They could be indicative names assigned to the photos to be checked later. This demo app is used to show how the product works,” the spokesperson added.
The spokesperson also said that the company would secure the database and create an internal policy to use local servers, rather than cloud servers for product testing.