This investigation brief records that India's citizen-data failures were not isolated leaks but a pipeline: surveillance SDKs, identity databases, health records, bank-transfer data and scam networks repeatedly exposed citizens while public notification and institutional accountability remained incomplete.
This article is based on the supplied verified investigation record and the connected thenitishkr.in evidence route. It is written as a public-interest investigation brief, not as promotional copy.
India's digital infrastructure has been breached repeatedly: from ultrasonic beacons listening inside homes, to Aadhaar API access sold through informal channels, to 815 million identity records traded for 80,000 US dollars. The record shows that each major breach was followed by a familiar pattern: limited public explanation, weak citizen notification and no clear accountability report visible to the ordinary person whose data was exposed.
The central question is not technical. It is constitutional. If a citizen's Aadhaar, biometrics, passport details, bank records, health identifiers and daily routines can move through exposed systems, mobile SDKs, leaked databases and fraud networks, what does the State owe that citizen after the harm is known?
The Pipeline of Surveillance
The record describes seven public-risk episodes. Together they show how data exposure moved from advertising surveillance to identity databases, health systems, bank-transfer records and fraud networks.
SilverPush. Ultrasonic audio-beacon profiling marks the beginning of the surveillance-SDK question.
InMobi. The record connects location tracking and child-privacy findings to mobile-adtech accountability.
Aadhaar API sale. Full identity access was sold for Rs 500.
S3WaaS exposure. Government cloud exposure continued for 26 months.
CoWIN and ICMR. Telegram lookup records and the 815 million-record ICMR sale sit in the same identity-exposure timeline.
NPCI NACH. Bank-transfer records were publicly accessible.
Fraud impact and official response. The record links data exposure to digital-arrest scams and cites the CERT-In reply to Shri Nitish Kumar dated 6 July 2026.
The Result
The record links digital arrest scams, investment fraud, identity theft and financial loss to stolen government and quasi-government data. It cites Rs 22,495 crore lost in 2025 and a 900% surge in digital arrest scams.
If the State can collect identity at scale, it must also notify, repair and account for identity harm at scale.
Why This Matters
If a person has Aadhaar, CoWIN registration, a bank account, a phone number, a SIM connection, a digital loan record or a smartphone, the risk described by the brief is not abstract. The question is whether that person's data appeared in one or more compromised systems, whether they were ever notified, and whether any public authority recorded a remedy.
This is where the article connects to the wider thenitishkr.in archive. The MeitY digital-governance record asks what happens to stolen Indian citizen data on foreign servers. The Digital Arrest Scam Guide explains how identity, fear and official-looking scripts are weaponised. The Digital Constitutional Personhood framework asks whether a citizen's digital record must be treated as part of constitutional personhood rather than disposable database residue.
Press-Ready Brief
India's 14-year data-collapse record. Between 2012 and 2026, government systems, health databases, cloud platforms and mobile SDKs exposed biometric, financial and behavioural data of Indian citizens. The record calls for citizen notification, Data Protection Board activation, forensic investigation and public action-taken reports.
815 million ICMR records were sold in 2023.
Aadhaar API access was sold for Rs 500 in 2018.
CoWIN lookup records appeared through a Telegram bot in 2023.
Government cloud exposure continued for 26 months.
NPCI NACH bank records were publicly accessible in 2024.
CERT-In public citizen notifications for the cited major breaches are absent from the record.
CERT-In Complaint Draft
The following complaint draft is included as a working public-interest template. It should be checked by the complainant before filing, and attachments should be limited to lawful, non-private, redacted evidence.
Source and Record Route
| Record area | Status on this page | Reader route |
|---|---|---|
| SilverPush and InMobi | Public regulatory/adtech record | Archive PDF and FTC InMobi record |
| Aadhaar API sale | Identity-access record | UIDAI and MeitY digital-governance case file |
| S3WaaS exposure | Government cloud exposure record | Follow the Data record |
| CoWIN Telegram bot | Health-identity lookup record | Follow the Data record |
| ICMR mega-breach | Health database exposure record | ICMR and the connected case file |
| NPCI NACH leak | Bank-transfer exposure record | NPCI and the connected case file |
| CERT-In response | Official correspondence record | CERT-In reply and CERT-In letter to MeitY |
Continue Reading
These records carry the article into the investigation file, remedy guidance and constitutional frame.