The core infrastructure is porous, routinely leaking sensitive data, and exposing citizens, enterprises, and national systems to risk.
In The Sunday Guardian article, “Digital India Must Become Abuse-Proof,” dated 26 March 2022, I warned: “The Indian State is extremely poor in data protection and response to data breaches. For a country of a billion, we are a data mine, but we are blissfully ignoring the fact that data is the 21st century’s oil as well as its deadliest weapon. It is both precious, as well as dangerous, and should be handled with utmost care.”
Three years later, the Indian State’s casual approach on data security remains unchanged.
DIGITAL VISION AT RISK
The Narendra Modi government has changed India’s digital landscape, driving empowerment, inclusion, and innovation. While India is rapidly progressing to build a USD 1 trillion digital economy by 2028, the ambition is undercut by foundational vulnerabilities. The contradiction is profound: a nation leading the world in digital public infrastructure and scalable solutions, yet lacking basic safeguards to prevent hostile exploitation.
The core infrastructure is porous, routinely leaking sensitive data, and exposing citizens, enterprises, and national systems to risk. The mismatch between the pace of digitisation and the investment in digital safety—both in literacy and security—is stark. This is not a merely central or state government issue; it is a national problem. The strategic importance of data protection as the bedrock of digital sovereignty and national security is largely absent from the collective Indian mindset. India even lacks a unified legal framework to secure its digital future.
The costs of this indifference are real. Financial and cybercrimes are escalating. Large volumes of personal data is seeping into adversarial hands, where it can be weaponised against Indian interests. Unless this foundational gap is closed, India’s digital transformation could soon become its most dangerous vulnerability.
THE GST LEAK: A CASE STUDY IN SYSTEMIC INACTION
A leaked address, paired with financial identifiers, is not just a privacy lapse; it is an open invitation for a variety of crimes, including fraud, extortion, and even physical assault. Over 13 million GST payees have been exposed to this risk for nearly eight years. Google refuses takedown requests, citing that the data originates from official government websites.
In June 2018, I discovered that private players were harvesting data from central and state government portals. This included legal names, GST numbers, PAN numbers, emails, phone numbers, addresses, and turnover figures. I alerted high authorities. Within a month, visible sensitive fields on the GST payment portal were masked. But the breach had already occurred. The data had been scraped, stored, and monetised. No effort was made to trace, revoke, or neutralise the leaked data. No system-wide audit was ordered to identify ongoing or latent vulnerabilities. No accountability was fixed.
For years, I was flagging this privately and publicly. The institutional silence that followed, mirrored by public apathy, reveals more than bureaucratic failure; it exposes a deep societal blind spot to data risk.
Even today, multiple platforms allow individual and bulk searches by PAN, GST number, or name. Some refresh data regularly, pointing at live access into government systems. While mobile numbers and emails are privately traded, registered addresses remain openly accessible. One site even boasts: the GST portal withholds details like aggregate turnover behind login; we offer it without one. (Language altered—quoting verbatim surfaces the site via Internet search and can bring more people to it to mine data. That precaution, demonstrated here, is precisely the mindset the State should have.) This site, incidentally, was among those I flagged to high authorities.
Recently, the Surat Chartered Accountants Association (CAAS) flagged the sale of bundled GST data to the Union Finance Ministry; effectively business blueprints that undermine fair competition. Their repeated representations to both Gujarat and central authorities has yet to result in any concrete action. Similar concerns surfaced in Punjab last year, amid allegations of GST department employees selling sensitive data to competitors. In May 2025, the Leader of the Opposition in the Maharashtra Legislative Council called for a probe into unauthorised sharing of GST data and potential breach of confidentiality. The same institutional indifference persists across states. This is the attitude towards taxpayers’ safety.
The GST data leak is a case study in how a single breach, left unaddressed, endangers millions. The stubborn refusal to act exposes the hollowness of institutional responsibility in India’s digital governance.
A LEAKING INFRASTRUCTURE AND THE INDIFFERENCE MINDSET
In early 2024, the Election Commission fixed a privacy flaw in its RTI portal that had exposed applicant data to the public. The flaw, discovered by a security researcher, was reportedly ignored by the EC, CERT-In, and the National Critical Information Infrastructure Protection Center, and fixed only after a tech-media platform intervened. This episode again highlighted that India’s data infrastructure leaks, and those responsible for its integrity neither detect vulnerabilities, nor act promptly when alerted. There is no urgency, no accountability, and no effort at future-proof—failures at every stage of the data security lifecycle.
No wonder that the scale and frequency of data breaches are staggering. Sensitive personal data is routinely compromised and surfaces on the dark web in such volumes that it should jolt the nation into urgent action. Yet, the breach of citizen data has not triggered an introspection.
Let us take Jharkhand for instance. In 2017, its Directorate of Social Security website reportedly leaked Aadhaar numbers, names, and bank details of over one million pensioners due to a “programming glitch.” In 2023, the state AYUSH website breach was reported, exposing 320,000 patient records, including PII and diagnoses, as well as doctors’ sensitive data on the dark web.
These are not isolated lapses or breaches but part of a recurring pattern where government websites publish personal data by design or oversight, lack adequate safeguards, and face no consequences for it. The underlying architecture is just not protective.
The Ministry of Corporate Affairs routinely publishes company emails, registered addresses, and identification numbers (CIN/LLPIN/DIN), enabling private platforms to map individuals and corporate entities with ease. Gujarat’s integrated Revenue Case Management System discloses addresses of litigants. Judicial public records often include personal identifiers without redaction. While the judiciary has recognised the right to privacy and even the right to be forgotten, masking is directed only in narrow contexts. There is a broader failure to institutionalise minimal data collection, publication, and anonymisation as a default.
One of the reasons is because basic questions around data necessity or publishing are never raised. As I noted in my 2022 article: “The voter’s address and family members are easy to find from the Election Commission (EC) sites, although one would wonder why the EC needs to map the family of the voters and put it, along with the residential address, for public consumption.” Why is this information even public? No one asks. No one explains. And the same pattern repeats across sectors.
Another reason is that the negligent mindset is all pervasive. On 12 June, a major news agency published the passport numbers of Air India 171 crash victims—an act that shows how even the media, which ought to act as a check, disregards basic norms. Elected representatives are no better; Shashi Tharoor recently posted an official communication containing a citizen’s passport number.
It is one thing if data breach happens due to bad actors; quite another if the systems leak by design, and sustained by institutional and public indifference. Every touchpoint—government, courts, corporates, media, healthcare, education, social media—is both a breach and leak vector. India’s data landscape is functioning exactly as built: insecure by design, and indifferent by culture thanks to the strategic failure to treat data as a national asset.
Indians own their data, but lack the knowledge or power to secure it. The State, as the largest data fiduciary driving the digital India vision, has the responsibility to protect citizens’ data but remains grossly negligent.
India is both a data goldmine and a digital sieve. The national response to data breaches is superficial and reactive; patching one hole after another without tracing vulnerabilities, neutralising harvested data, or correcting institutional blind spots. This breach–neglect–repeat cycle signals dangerous complacency.
At the current trajectory, India is not building a digital economy. It is building a digitally exposed state, where a systemic failure could trigger the collapse of the entire digital edifice.
DATA WEAPONISATION: A NATIONAL SECURITY THREAT
The sensitive data of Indian citizens is commodified and traded by individuals and organised networks, both domestic and foreign, through both open and shadow markets. The core threat, however, is not criminality alone, but the weaponisation of data.
India’s porous data systems, weak security protocols and lax approach to data security make it highly vulnerable to low-effort attacks by adversaries. In an AI-driven age, vast datasets enable rapid profiling and precision misinformation to shape narratives, create unrest, and impact sovereignty.
Beyond national security, weaponised data threatens important sectors. The breach and sale of 815 million ICMR records, for instance, could be exploited to erode public trust and undermine India’s ambitions in health diplomacy and medical tourism.
A compromised data environment corrodes more than privacy; it undermines institutional trust and economic resilience.
On the individual front, identity theft and financial fraud are accelerating, with minimal recourse for victims. Losses from data driven crimes in India are projected to rise to $20-25 billion annually by 2030 if things do not change. At scale, weaponised data can destabilise the socioeconomic environment, undermine investor confidence, and damage India’s global standing.
The relentless integration of Aadhaar, PAN, banking, UPI, and other identity-linked systems—while foundational safeguards are weak—amplifies the risk of mass digital disempowerment by hostile states, malicious actors, or even internal subversion.
The mix is lethal: vast datasets in malicious hands, a digitally unprepared citizenry, and a governance model that still treats data protection as a bureaucratic afterthought rather than a strategic imperative.
THE TICKING TIME BOMB
At the heart of Digital India’s vision is the promise of a “cradle to grave” digital identity, meant to be the cornerstone of empowerment and inclusion. Yet, when the infrastructure underpinning this identity cannot guarantee even basic data security, the promise becomes a paradox.
No one sees India’s data crisis holistically—red flags and responses remain siloed, ignoring the structural rot.
India cannot afford to continue with cosmetic changes and reactive patchwork. It requires urgent rewiring of the system to build a resilient digital architecture, or the country’s digital dream will implode under its own vulnerabilities. The first step: a nation-wide deep system scan to map the full scale of exposure. A state that does not know its own attack surface cannot govern data—let alone protect its citizens in the digital age.
* Semu Bhatt is a strategic adviser, author, and founder of FuturisIndia.
