Public Interest Investigation

India's Regulator Slept. Your Data Was Sold.

A 14-year surveillance pipeline runs through Aadhaar, biometrics, passport records, bank records, health data, mobile SDKs and daily behaviour trails while CERT-In's public citizen-notification record remains unresolved.

By Filed: Section: Public Interest Investigation Status: Verified record brief
Public-interest news visual on India data breach, citizen identity risk and surveillance accountability
Investigation visual for the public-interest data-breach and surveillance record.
Record answer

This investigation brief records that India's citizen-data failures were not isolated leaks but a pipeline: surveillance SDKs, identity databases, health records, bank-transfer data and scam networks repeatedly exposed citizens while public notification and institutional accountability remained incomplete.

Record basis

This article is based on the supplied verified investigation record and the connected thenitishkr.in evidence route. It is written as a public-interest investigation brief, not as promotional copy.

India's digital infrastructure has been breached repeatedly: from ultrasonic beacons listening inside homes, to Aadhaar API access sold through informal channels, to 815 million identity records traded for 80,000 US dollars. The record shows that each major breach was followed by a familiar pattern: limited public explanation, weak citizen notification and no clear accountability report visible to the ordinary person whose data was exposed.

The central question is not technical. It is constitutional. If a citizen's Aadhaar, biometrics, passport details, bank records, health identifiers and daily routines can move through exposed systems, mobile SDKs, leaked databases and fraud networks, what does the State owe that citizen after the harm is known?

14Years in the pipeline
815MICMR records recorded
26Months of S3WaaS exposure recorded
2026CERT-In reply cited by brief

The Pipeline of Surveillance

The record describes seven public-risk episodes. Together they show how data exposure moved from advertising surveillance to identity databases, health systems, bank-transfer records and fraud networks.

2012

SilverPush. Ultrasonic audio-beacon profiling marks the beginning of the surveillance-SDK question.

2016

InMobi. The record connects location tracking and child-privacy findings to mobile-adtech accountability.

2018

Aadhaar API sale. Full identity access was sold for Rs 500.

2022-2024

S3WaaS exposure. Government cloud exposure continued for 26 months.

2023

CoWIN and ICMR. Telegram lookup records and the 815 million-record ICMR sale sit in the same identity-exposure timeline.

2024

NPCI NACH. Bank-transfer records were publicly accessible.

2025-2026

Fraud impact and official response. The record links data exposure to digital-arrest scams and cites the CERT-In reply to Shri Nitish Kumar dated 6 July 2026.

The Result

The record links digital arrest scams, investment fraud, identity theft and financial loss to stolen government and quasi-government data. It cites Rs 22,495 crore lost in 2025 and a 900% surge in digital arrest scams.

If the State can collect identity at scale, it must also notify, repair and account for identity harm at scale.

Why This Matters

If a person has Aadhaar, CoWIN registration, a bank account, a phone number, a SIM connection, a digital loan record or a smartphone, the risk described by the brief is not abstract. The question is whether that person's data appeared in one or more compromised systems, whether they were ever notified, and whether any public authority recorded a remedy.

This is where the article connects to the wider thenitishkr.in archive. The MeitY digital-governance record asks what happens to stolen Indian citizen data on foreign servers. The Digital Arrest Scam Guide explains how identity, fear and official-looking scripts are weaponised. The Digital Constitutional Personhood framework asks whether a citizen's digital record must be treated as part of constitutional personhood rather than disposable database residue.

Press-Ready Brief

Press brief

India's 14-year data-collapse record. Between 2012 and 2026, government systems, health databases, cloud platforms and mobile SDKs exposed biometric, financial and behavioural data of Indian citizens. The record calls for citizen notification, Data Protection Board activation, forensic investigation and public action-taken reports.

Finding 1

815 million ICMR records were sold in 2023.

Finding 2

Aadhaar API access was sold for Rs 500 in 2018.

Finding 3

CoWIN lookup records appeared through a Telegram bot in 2023.

Finding 4

Government cloud exposure continued for 26 months.

Finding 5

NPCI NACH bank records were publicly accessible in 2024.

Finding 6

CERT-In public citizen notifications for the cited major breaches are absent from the record.

CERT-In Complaint Draft

The following complaint draft is included as a working public-interest template. It should be checked by the complainant before filing, and attachments should be limited to lawful, non-private, redacted evidence.

CERT-In Incident Report - Draft Reporter: Nitish Kumar (thenitishkr), Kharar, Punjab Incident type: Multi-year national-scale data compromise Affected data: Aadhaar, biometrics, passport details, PAN, voter ID, CoWIN records, ICMR test data, bank-account details and behavioural telemetry Summary: Between 2012 and 2026, multiple public systems, health databases, cloud services and mobile SDK ecosystems exposed sensitive citizen data. The incident chain cited in the investigation brief includes SilverPush ultrasonic tracking, InMobi location tracking, Aadhaar API sale, S3WaaS cloud exposure, CoWIN API lookup records, ICMR mega-breach and NPCI NACH leak. Action requested: 1. Assign CERT-In tracking number. 2. Initiate forensic investigation. 3. Coordinate with UIDAI, NIC, NPCI, MoHFW, ICMR and relevant agencies. 4. Issue citizen notifications where exposure is confirmed. 5. Publish action-taken report. Attachments to prepare: Timeline, evidence list, screenshots, lawful API logs, hashes of leaked datasets, source URLs and redaction note.

Source and Record Route

Record areaStatus on this pageReader route
SilverPush and InMobiPublic regulatory/adtech recordArchive PDF and FTC InMobi record
Aadhaar API saleIdentity-access recordUIDAI and MeitY digital-governance case file
S3WaaS exposureGovernment cloud exposure recordFollow the Data record
CoWIN Telegram botHealth-identity lookup recordFollow the Data record
ICMR mega-breachHealth database exposure recordICMR and the connected case file
NPCI NACH leakBank-transfer exposure recordNPCI and the connected case file
CERT-In responseOfficial correspondence recordCERT-In reply and CERT-In letter to MeitY

Continue Reading

These records carry the article into the investigation file, remedy guidance and constitutional frame.