The website of the Tamil Nadu Police was hacked earlier this week by cybercriminals who demanded a ransom of $20,000 to restore the site, The Hindu reported on September 12. The website now appears to have been restored.
Importantly, it was reported that hackers, believed to be based in South Korea, gained access to the Face Recognition System (FRS) database during the breach. This database contains images and other details of individuals with criminal records and repeat offenders. The Tamil Nadu police’s use of facial recognition technology (FRT) is presently facing a legal challenge in the Madras High Court due to concerns related to privacy. The recent data breach only exacerbates these privacy concerns.
Police officials informed The Hindu that the incident affected a variety of e-services offered by the Tamil Nadu police, such as filing online complaints, access to first information reports (FIRs), and checking the status of investigations.
As per a preliminary investigation, the hackers took advantage of two logins with weak passwords to gain access to the site, the report said. A police officer informed The Hindu that they will conduct a thorough investigation and enhance the website’s security by implementing a two-step verification process.
Article continues below ⬇, you might also want to read:
- Stop Tamil Nadu Police From Using Facial Recognition: Chennai Resident’s Plea Before Madras High Court
- India’s Digital Personal Data Protection Bill, 2023 Gives The Government Powers To Exempt Itself From The Bill, Block Content, And More
- Multiple Cyber Threats Targeted At Military Personnel In India, Pakistan Taken Down: Meta
- Madras HC Questions Why Tamil Nadu’s Competence To Ban Online Gambling Is Being Doubted: Report
Can the DPDP Act prevent such data breaches in the future?
The Digital Personal Data Protection Act, 2023, which was enacted into law last month but is yet to go into effect, gives the Data Protection Board the power to impose a penalty of up to Rs 250 crores on entities that suffer a data breach because they failed to adopt reasonable security safeguards to protect personal data. This should act as a strong incentive for entities to do more to safeguard data.
By default, this provision also applies to personal data processed for law enforcement purposes, which means the Tamil Nadu Police would have to comply and take all reasonable safeguards to prevent a breach.
However, section 17(2) of the DPDP Act allows the Central government to exempt any agency of the government from the Act by issuing a notification. If Tamil Nadu Police is notified as an exempted agency, then it will not face any consequences for data breaches in the future.
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!