87% citizens surveyed say their personal data already stands compromised with 50% concerned about their Aadhaar details; Most hold telcos, eCommerce and banking/financial services entities responsible for it

March 4, 2025, New Delhi: During the Mahakumbh many people received WhatsApp messages from unknown numbers seeking donations. Many of the recipients of such messages took to social media to complain about how they were being bombarded despite not having shared their numbers. “Data privacy is a big joke in India…Never shared our mobile numbers with ISKON but always get donation messages. Looks like unauthorized data selling…” one of the citizens shared on LocalCircles. Similar complaints were found on platforms like X.

Hopefully, the Ministry of Electronics and Information Technology, which released the draft rules for the Digital Personal Data Protection (DPDP) Act after a long wait of 16 months and invited public inputs via the MyGov portal by March 5, will plug this menace soon. Without the rules in place, the legislation, which was passed in Parliament in August 2023, couldn’t come into force.

Marking a pivotal step toward robust data governance, the draft rules under DPDP Act have specific provisions to prevent personal data breaches. To ensure government’s control over cross-border data flow, a specialised government appointed committee will determine which categories of personal data must remain within the borders. Additionally, data fiduciaries seeking to process personal data outside India must comply with specific conditions to be outlined through government notifications. The draft rules also propose the establishment of the Data Protection Board as a regulatory body. It will operate as a digital office, with remote hearings and will have powers to investigate breaches, enforce penalties and so on.

In October 2024, Star Health Insurance, one of India’s major health insurers, faced a massive data breach which allegedly led to compromising private details of 31 million customers. This personal data leak of millions was yet another wake-up call for the government which has considerably delayed framing the rules for the implementation of the legislation. Also, last year, cybersecurity firm CloudSEK unveiled a massive security breach exposing personal information of 750 million people in India. This breach included vital details such as names, mobile numbers, addresses, and Aadhaar information. This extensive database, amounting to a staggering 1.8 terabytes, was reported to being sold by threat actors from CyboDevil and UNIT8200. The breach was made public on January 23, 2024, when CloudSEK's AI digital risk platform, XVigil, detected a post by CyboDevil on an underground forum advertising the Indian Mobile Network Consumer Database. UNIT8200 had previously offered similar data on Telegram on January 14, 2024. The exposed dataset allegedly covered 85% of the Indian population, making it one of the largest breaches in recent times. Compromised information, compressed to 600GB and uncompressed to 1.8TB, poses significant risks to both individuals and organizations.

The biggest issue is that most organisations in India including Government offices continue to not give importance to protecting private data. According to citizen posts on LocalCircles, through mandates or requests, citizens are made to share their data, however the entity that is doing so has limited checks and balances in place to ensure that the data stays protected and secure. Citizens in the last 24 months have cited hundreds of examples of Government offices, hotels, banks, telecom providers, eCommerce platforms, coaching classes and many other entities compromising their private data like Aadhar, PAN card, etc.

LocalCircles through a new survey has strived to find out the current state of personal data protection in India and if it has gotten worse since its last survey in 2022 when 72% of the respondents stated that their personal details are in the public domain or in databases from where they have been leaked. The new survey received over 36,000 responses from citizens located in 375 districts of India. 67% respondents were men while 33% respondents were women. 45% respondents were from tier 1, 22% from tier 2 and 33% respondents were from tier 3 and 4 districts.

87% citizens surveyed believe one or more of their personal data elements are already in public domain or in databases that have been compromised

In the light of many instances of personal data leaks not just in India but also overseas, the survey asked citizens, “Are your personal details already in the public domain or in databases from where it has been leaked?” Out of 18,039 responses to the question 87% admitted that their “personal details were leaked or are in public domain”. Only 4% of respondents stated “no personal details have been leaked or are in public domain” while 9% of respondents did not give a clear answer. In essence, 87% of citizens surveyed believe one or more of their personal data elements are already in public domain or in databases that have been compromised.

Percentage of citizens who confirmed that their personal data is in public domain or leaked jumped from 72% to 87% in the last 36 months

When comparing the survey results of 2022 and currently, the percentage of citizens who confirmed that their personal data is in public domain or leaked has jumped from 72% to 87% currently.

Of those Indians who believe their personal identification data has been leaked or in public domain, over 50% say it is their Aadhaar or PAN card details or both that have been compromised

The survey next asked citizens, “What all personal details of yours are already in the public domain or in the databases from where it has been leaked?” Some among 17,317 who responded to the question indicated more than one option. Thus 91% indicated “mobile number”; 73% “email address”; 54% indicated “aadhar number”; 52% indicated "PAN card number”; 21% stated “voter ID”; 21% stated "credit/ debit card number”; 18% stated “annual income/ salary”; and 21% stated "other details” not mentioned. In addition, 9% of respondents did not give a clear answer. To sum up, among those Indians who believe their personal identification data has been leaked or in public domain, over 50% say it is their Aadhaar or PAN card details or both that have been compromised.

Citizens whose personal data has been leaked and in public domain hold various arms of the Government, telcos, banks and eCommerce apps/sites responsible for it

Many times, citizens are forced to share their personal details with banks, at the government offices, to get mobile connection, etc. The survey asked citizens, “What all entities do you hold responsible for leaking or bringing your personal details in the public domain?” Some among the 18,248 who responded to the question indicated more than one option. The largest percentage of respondents or 65% hold “telecom service providers” responsible for leak of personal details; 63% indicated “eCommerce apps/ sites”; 56% blame “banks and financial service providers”; 50% blame “state/ local government offices, databases, staff”; 48% of respondents stated “payment apps/ sites”; 26% of respondents stated “educational institution”; 37% stated “other businesses/ entities” not mentioned. In addition, 13% of respondents did not give a clear reply. To sum up, citizens whose personal data has been leaked and are in public domain hold various arms of the Government, telcos, banks and eCommerce apps/sites responsible for it.

In summary, 87% of citizens surveyed believe one or more of their personal data elements are already in public domain or in databases that have been compromised. Since the survey done in 2022, the percentage of citizens who confirmed that their personal data is in public domain or leaked has jumped from 72% to 87% in the last 36 months. Among those who believe their personal identification data has been leaked or in public domain, over 50% state it is their Aadhaar or PAN card details or both that have been compromised. For the present situation, citizens hold various arms of the government, telcos, banks and eCommerce apps/sites responsible.

Given the situation, the government needs to make India’s data protection law — the Digital Personal Data Protection Act (DPDPA) operational at the earliest after necessary discussions about the rules to be followed. LocalCircles plans to share results of the survey with the Government so that it can provide insights while the new rules are being finalized and implemented. It is hoped that the government will have in place provision to penalize those responsible for data leaks or violation of rules finalized.

Survey Demographics

The survey received over 36,000 responses from citizens located in 375 districts of India. 67% respondents were men while 33% respondents were women. 45% respondents were from tier 1, 22% from tier 2 and 33% respondents were from tier 3 and 4 districts. The survey was conducted via LocalCircles platform and all participants were validated citizens who had to be registered with LocalCircles to participate in this survey.