TL;DR: Punjab Forensic Science Agency reported a breach exposing more than 900GB of forensic records, including DNA data, crime scene evidence, and investigation files, with the article attributing the incident to Beast ransomware and warning of public safety and case integrity impacts. The breach shows how overexposed sensitive records and weak access boundaries turn a ransomware event into an identity governance failure.
NHIMG editorial — based on content published by Gurucul: Threat Intelligence Punjab Forensic Science Agency Data Breach
By the numbers:
- On November 7th 2025, Punjab Forensic Science Agency (PFSA) experienced a significant data breach, exposing over 900GB of sensitive forensic records.
Questions worth separating out
Q: What breaks when ransomware reaches forensic records and identity data?
A: When ransomware reaches forensic records and identity data, the incident stops being a system outage and becomes a trust failure.
Q: Why do public-sector case systems need stronger access boundaries than ordinary business apps?
A: Public-sector case systems handle records with legal, evidentiary, and operational sensitivity that ordinary business apps usually do not.
Q: What do security teams get wrong about ransomware recovery in evidence-heavy environments?
A: Teams often assume recovery is mostly about backup availability.
Practitioner guidance
- Separate investigative and administrative data planes Place forensic case stores, payroll records, and identity documents in distinct network and access zones so a compromise in one system cannot expose the others.
- Make backup isolation verifiable Use air-gapped backups for critical records and test that restore paths do not depend on the same privileged credentials or domain trust as production systems.
- Tie clearance to record class Define access by evidence sensitivity, not just job title, and require separate approvals for forensic material, identity documents, and financial records.
What's in the full article
Gurucul's full blog covers the incident detail this post intentionally leaves for the source:
- The article's case-specific breach summary, including the stated date, target environment, and exposed record types.
- The supporting screenshots and document samples that show payroll, identity card, challan, and forensic analysis material.
- The vendor's incident-response recommendations for backups, segmentation, EDR, SIEM, and access control.
- The broader threat-intelligence framing around Beast ransomware and public-sector targeting.
👉 Read Gurucul's analysis of the PFSA data breach and exposed forensic records →
PFSA breach and forensic records exposure: what identity teams should note?
Explore further
Public-sector breach impact is determined by record reach, not just malware severity. When an attacker can touch forensic data, identity records, and case files in one environment, the incident becomes a governance failure as much as a security event. The decisive question is how much sensitive material the attacker could reach before containment. Practitioners should evaluate every high-value repository by its identity blast radius, not by system type alone.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: Who is accountable when sensitive forensic records are exposed in a breach?
A: Accountability usually sits with both the data owner and the security governance function. The data owner must define sensitivity and access rules, while security must enforce segmentation, privilege limits, and recovery isolation. In regulated or public-sector environments, that accountability also extends to how evidence integrity and access review are documented.
👉 Read our full editorial: PFSA data breach exposes the identity risks in public-sector forensics