News of the Narendra Modi government making it mandatory for phone makers and importers to install its own cyber security app, Sanchar Saathi, on all new devices and crucially to ensure that users cannot delete it has naturally led to serious concerns over privacy of Indian citizens.

Many said this is an Orwellian surveillance measure, highlighting that the government now essentially has the "dystopian tool" to track your every move.

Some old faithfuls have defended the imposition of the Sanchar Saathi app, saying that law-abiding Indians should not have anything to hide from their government. That is indeed a valuable sentiment. Notwithstanding the Supreme Court's Puttaswamy judgement deeming privacy a fundamental right, the question then arises as to whether the government has been able to honour, safeguard and protect our data in the situations where it has taken it.

So low is the average Indian's trust in this matter that data breaches are now no longer a matter of concern. As many as 87% of 36,000 citizens surveyed by LocalCircles from 375 districts said that they believed that one or more of their personal data elements are already in public domain or in databases that have been compromised.

A report found that India, in the first quarter of 2025, emerged as one of the top five nations to be targeted by ransomware, with a 126% year-over-year surge in attacks. Yet another found that India has emerged as the second most targeted nation for cybercrime attacks in 2024, only trailing the US. The Union government has itself noted how cybersecurity incidents in India rose from 10.29 lakh in 2022 to 22.68 lakh in 2024.

With very little by way of expectation towards the government, here are some noteworthy instances where Indians found their government-held data compromised.

2018: 'Aadhaar details for Rs 500'

In 2018, The Tribune reported that its reporter had paid an agent via WhatsApp for access to a gateway that provided unrestricted access to the personal details associated with any of the more than one billion Aadhaar numbers. These details were sold for as little as Rs 500.

The Tribune's reporter was able to purchase login credentials to the Aadhaar database, which let it acquire information such as the names, telephone numbers and home addresses of most Indians. For Rs 300 more, the reporter could access "software" that allowed them to print out any Aadhaar card for which they had the number.

The Unique Identification Authority of India (UIDAI) said biometric details were safe and that this was a case of misuse of data.

Two days after the report was published, on January 5, 2018, an employee of UIDAI’s logistics and grievance redressal department, B.M. Patnaik, lodged a complaint against reporter Rachna Khaira and two others, Anil Kumar and Sunil Kumar, mentioned in the report, alleging that the reporter had purchased a service from both the “agents” to have unrestricted access to the data of over a billion people in possession of UIDAI.

The Delhi Crime Branch, which had been probing the matter, filed a closure report in 2021 before a Delhi court stating that there is no enough evidence to probe the matter further.

2023: CoWIN data leak

The 2023 CoWIN data breach was one of the largest in India. Data of Indians vaccinated against COVID-19 was made available on Telegram from the CoWIN app and portal, reports said.

The online platform of CoWIN had been pushed by the Modi government to record vaccine information and ideally help track COVID-19 incidents close to you.

Information made available by the Telegram bot included name, gender, birth date, Aadhaar number, PAN card number, passport number, voter ID card number, and the vaccination centre/s in which a person was vaccinated.

The government said that all such reports were "without any basis and mischievous in nature." It said that the health ministry's portal was "completely safe with adequate safeguards for data privacy."

It listed the security measures on the CoWIN portal – web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment, and identity and access management, along with a one-time password mechanism.

Indian Computer Emergency Response Team (CERT-In) in its initial report said that the backend database for the Telegram bot was not "directly accessing the APIs of CoWIN database," the government said.

Later that year, in response to a question by Dean Kuriakose in the parliament, the junior health minister S.P. Singh Baghel said that CERT-In had said that "there was no bulk data download from Co-WIN beneficiary database." Baghel listed the same security measures that had been in the government statement half a year ago.

The response did not clarify whether some or any data had indeed been exposed, even if no bulk data had been downloaded.

"No government in a developed country would have survived a data leak on such a large scale. In India, everyone is still playing around it," a CEO of a digital threat analysis company told Scroll.in.

2023: ICMR data breach 

In 2023, personal details of more than 81 crore people were leaked from the website of the Indian Council of Medical Research and put on sale on the dark web for $80,000. These details came from data collected during COVID-19 tests, which go to the National Informatics Centre (NIC), ICMR and the Union ministry of health.

Economic Times had reported that the data breach was flagged by the US-based cybersecurity and intelligence firm Resecurity which said, "On October 9, a threat actor going by the alias 'pwn0001' posted a thread on Breach Forums brokering access to 815 million 'Indian Citizen Aadhaar and Passport' records."

Worryingly, News18 report noted how ICMR had been facing multiple cyber-attack attempts since February that year and "central agencies as well as the council were aware of it."

"Over 6,000 attempts were made last year to hack ICMR servers," the report said.

This leads to questions on why not enough was done in time.

"For true safety, Indians need to be provided with privacy. Instead, we are only offered security in terms of data protection. Even this promise of data protection is faulty, with no actual resources being allocated towards cybersecurity operations," Srinivas Kodali had written on The Wire then.

2024: Websites exposing sensitive personal identifiable info

Last year in September, the Ministry of Electronics and Information Technology said in a press release that it had noticed that "some websites were exposing sensitive personal identifiable information including Aadhaar and PAN Card details of Indian citizens."

It did not offer details of the extent to which this information was exposed and particularly, how many were affected.

The government claimed that it has taken it up "seriously" and accords "highest priority to safe cyber security practices and protection of personal data."

The sites were blocked, it claimed in a press release.

It said that CERT-In has shown "some security flaws in these websites" – without mentioning which – and said that they had been given "guidance about the actions to be taken at their end for hardening the ICT infrastructures and fixing the vulnerabilities."

The government press release also said that CERT-In has issued “Guidelines for Secure Application Design, Development, Implementation & Operations” for all entities using IT applications and has given directions under the Information Technology Act, 2000, relating to information security practices, procedure, prevention, response and reporting of cyber incidents.

The government invited adversely affected parties to approach IT secretaries of states to file a complaint under the IT act and seek compensation.

But the government notably did not reveal for how long this data was being hosted and in which websites – thus offering no recourse to people who may not have been aware that their data was being exposed.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.