A troubling case out of India is shining a harsh light on just how unsafe poorly secured CCTV systems can be and how easily intimate moments can end up online.
Police in Gujarat recently uncovered a sprawling cybercrime ring after hacked CCTV videos from a maternity hospital were found circulating on YouTube. The clips showed pregnant women during medical exams, with links directing viewers to Telegram channels where longer, more invasive footage was being sold. To protect the women’s identities, neither the city nor the hospital has been named.
What started as a single hospital breach quickly unraveled into something much bigger. Investigators say hackers had quietly broken into at least 50,000 CCTV systems across India. Hospitals, schools, office buildings, malls, private apartments, even people’s bedrooms. Nothing was off-limits. Footage was being sold on Telegram for as little as 800 to 2,000 rupees, with some channels offering live feeds through monthly subscriptions.
Police describe the operation as a network of individuals spread across multiple states. Eight arrests have been made so far, suspects from Maharashtra, Uttar Pradesh, Gujarat, Delhi, and Uttarakhand with charges ranging from privacy violations to cyberterrorism, a non-bailable offense. Investigators say the group used basic brute-force tools to break into CCTV systems and exploited the fact that many cameras still run on default passwords like Admin123.
CCTVs have become part of daily life in India, in hospitals, apartment complexes, shops, and homes. But while adoption has exploded, security practices haven’t kept up. Many systems are installed by staff with no cybersecurity training. Some locally manufactured cameras are easily exploitable. And once a CCTV goes online without proper protection, it becomes an open door for attackers.
Privacy advocates have warned for years that surveillance without safeguards leads to exactly this: sensitive footage leaking online, victims too embarrassed to report it, and cybercriminals turning private life into a commodity. Even after the federal government introduced stricter procurement rules last year, hacking incidents continue to surface.
Cybercrime investigators stress that simple steps go a long way, changing default passwords, rotating IP addresses, using stronger authentication, and conducting regular audits. But the responsibility doesn’t end with users. Manufacturers also need to build clearer warnings and stronger defaults into their products. When a camera comes out of the box insecure, the damage becomes predictable.
For organizations, this incident is a reminder that even a single weak device can compromise an entire environment. Modern attackers don’t break in through dramatic, complex techniques, they slip through the smallest cracks.
Incidents like this make one thing painfully clear: surveillance without security is a ticking time bomb. When thousands of cameras sit online with default passwords, outdated firmware, and no monitoring, attackers don’t need sophisticated exploits; they only need time and curiosity.
The India CCTV case is disturbing, but it’s not an outlier. It’s a warning and one we can’t afford to ignore.