Police in India have reported the sale of hacked CCTV videos from a maternity hospital on the Telegram platform. This incident has raised concerns regarding privacy and security standards in India, where surveillance cameras are widely deployed.
Gujarat state police initiated an investigation earlier this year after media reports identified videos on YouTube depicting pregnant women undergoing medical examinations and receiving injections at a maternity hospital. These YouTube videos included links to Telegram channels where longer versions of the footage were available for purchase. The hospital's director indicated that the cameras had been installed to ensure the safety of medical personnel. The specific city and hospital are not being disclosed to protect the identities of the individuals shown in the videos. No formal complaints have been filed by the affected women.
Nationwide Cybercrime Operation
The police investigation revealed an extensive cybercrime operation. Sensitive footage from at least 50,000 CCTV systems across India was reportedly stolen by hackers and subsequently sold online. CCTV cameras are a common feature in India, particularly in urban environments, installed in locations such as malls, offices, hospitals, schools, private residential complexes, and individual homes.
Cybersecurity experts have noted that while CCTV systems can enhance security, those that are poorly installed or inadequately managed may pose privacy risks. In India, camera systems are often managed by staff without specific cybersecurity training, and some domestically produced models are described as being susceptible to exploitation. Previous incidents include a 2018 report of a hacked webcam in Bengaluru where the hacker demanded payment, and a 2023 report of a YouTuber discovering their home CCTV had been compromised after private videos circulated online. The federal government issued guidance in the past year, advising states against procuring CCTVs from suppliers with a history of security vulnerabilities and introducing new regulations aimed at improving the cybersecurity of these devices. Despite these measures, hacking incidents continue to be reported.
Investigation Details and Legal Action
Lavina Sinha, head of the Ahmedabad cybercrime department leading the current investigation, informed reporters that police uncovered a "network of individuals spread across the country." These individuals were reportedly compromising video surveillance systems in various settings, including hospitals, schools, colleges, corporate offices, and private residences across multiple states.
Hardik Makadiya, a senior cybercrime official in Gujarat, stated that the videos were sold for prices ranging from 800 to 2,000 rupees ($9-22; £7-17), with Telegram channels offering live CCTV feeds through subscriptions. Police have registered a case under several sections of Indian law, including provisions concerning the violation of a female patient's privacy, publishing obscene material, voyeurism, and cyber terrorism, the latter being a non-bailable offense. Authorities confirmed that they contacted Telegram and YouTube, resulting in the removal of the identified videos.
Since February, eight individuals have been arrested in connection with the case, with four arrests in Maharashtra and others in Uttar Pradesh, Gujarat, Delhi, and Uttarakhand. These individuals remain in judicial custody as legal proceedings continue. Yash Koshti, legal representation for three of the accused, has denied the allegations, stating that his clients are not hackers or cybercriminals and that the breaches were carried out by others.
Expert Commentary on Security Measures
Cybercrime investigator Ritesh Bhatia has advised that weakly protected CCTV and home networks are vulnerable targets and require proper securing. He explained that wireless CCTV systems, which allow remote access to footage via smartphones or laptops, become susceptible to hacking once connected to the internet. Hackers can reportedly decode IP addresses and default passwords, gaining access to view, record, download, or disable live footage.
Mr. Bhatia recommended securing surveillance systems by changing IP addresses and default passwords. He suggested using robust passwords that incorporate a mix of letters, numbers, and symbols and are not dictionary words, along with periodic cybersecurity audits. Additionally, Mr. Bhatia stated that CCTV manufacturers have a responsibility to clearly instruct users on packaging to replace default passwords with strong alternatives, drawing a parallel to health warnings on cigarette packets.