New Delhi: With one universal password, the hacker keyed into a surveillance nightmare of the country, which turned hospital CCTV pictures into illegal pornography. The breach began in January 2024 at Payal Maternity Hospital in Rajkot, Gujarat, when hackers exploited brute-force tools to gain access to live gynaecological examination footage. They retrieved more than 50,000 clips during a period of over nine months on at least 80 hacked CCTV dashboards in 20 states, with Pune, Mumbai, Ahmedabad, Delhi and Surat being some of them. The patients, students, workers, and residents of hospitals, schools, factories, cinemas, and personal houses were all victims.
Parit Dhameliya, a BCom graduate, and an accomplice in the hacking, Rohit Sisodiya, were arrested by the investigators in February 2025. The two individuals executed three auto scripts to rotate through typical credentials, and they used the factory setting on systems of Hikvision and Dahua. Footage was leaked on YouTube platforms such as ‘Megha MBBS’ and sold on Telegram between Rs 700 and Rs 4,000 per video, staying online until June 2025.
Key findings from cybercrime probe:
- 80 brute force and credential stuffing dashboards were hacked.
- 50,000+ clips stolen from Jan–Dec 2024.
- The number of states impacted was 20, both clinic and corporate lobby.
- NordPass 2024 statistics: ‘admin123’ is one of the most frequently used passwords across the world, and it can be decrypted in less than 1 second.
How to secure CCTV systems:
- Auto-complete change passwords; enforced 16+ character passwords (e.g., Gujrat2025!Secure)
- Ensure 2FA and automatic updates of the firmware.
- Separate privately owned VLAN cameras.
- Use password managers (NordPass, Bitwarden) with unique and complex passwords.
Cyber authorities caution that IoT devices are not hardened and are thus an easy target for attackers. It was not high-end hacking but rather laziness, as opportunity dictates, said an Ahmedabad cybercrime officer. Institutions and hospitals have been made to audit CCTV logins in 30 days.