In an era where personal data is often dubbed the “new oil,” India’s citizens are unwittingly fueling a lucrative engine-one driven not by Big Tech alone, but by the very institutions meant to protect them. On December 6, 2025, I, received a chilling WhatsApp message that shattered his trust in the system. The promotional text, sent from an unknown number, peddled online birth certificate services and brazenly referenced intimate details about his newborn child-information that should have been locked away in the vaults of the Municipal Corporation of Delhi (MCD).

This wasn’t a random hack; it was a targeted exploitation, allegedly stemming from a data leak or sale by government bodies to private entities like Delhi e Services and Pro Digital Bharat Services Pvt. Ltd. I ordeal is not isolated-it’s a symptom of a deeper malaise, where public data repositories are being ransacked for profit, leaving ordinary Indians exposed to identity theft, scams, and surveillance. As the Digital Personal Data Protection (DPDP) Rules come into force amid fresh controversies like the Sanchar Saathi app debacle, this article delves into the mechanics of this shadowy trade, its recent flashpoints, and the urgent need for accountability.

A Newborn’s Data: The First Casualty of Institutional Betrayal

I spent the next hour shaking with anger and helplessness. I tried to file a complaint on cybercrime.gov.in. Tried to file a formal complaint with the Cyber Crime Cell on the same day he received the intrusive message, paints a stark picture of vulnerability at its most tender. At 7:13 PM, his phone buzzed with a message from +91-9250000247, promoting “easy online services” for birth certificates via delhieservices.com. The sender had access to specifics about his child’s recent hospital registration-details I had entrusted solely to the MCD following the birth. The website traces back to Pro Digital Bharat Services Pvt. Ltd., a Delhi-based firm (CIN: U63992DL2023PTC422004) with directors Ranjeet Shrivastav and Anshika, ostensibly offering “e-governance” solutions. My grievance accuses the MCD of unlawfully sharing or selling this data, enabling the company to spam new parents with unsolicited pitches.

This isn’t mere sloppiness; it’s a pattern. Similar fraud calls have plagued new parents, as evidenced by a September 2025 X post from Mohd Faizan, who reported a scam demanding ₹200 for a PDF birth certificate shortly after his wife’s delivery at Kasturba Gandhi Hospital. He tagged the MCD and Anti-Corruption Bureau, suspecting a direct data pipeline from hospital records to fraudsters. Historical precedents abound: In 2015, the Central Bureau of Investigation (CBI) raided North Delhi Municipal Corporation offices over a birth certificate scam involving touts and officials issuing fake documents for bribes.

Failed Cyber Security

More recently, in June 2025, the MCD admitted lapses in a wrestling federation scandal where over 100 fake birth certificates were issued from identical addresses, implicating a nexus between coaches and civic officials. case highlights the human cost. As a “tech-savvy individual,” I have spent 1.5 hours futilely navigating the cybercrime.gov.in portal before emailing my complaint, complete with screenshots and registration proofs. My newborn-barely days old-now faces risks of identity fraud, from forged documents to targeted phishing. “This constitutes a serious violation of privacy, data protection laws, and cyber security norms,” I am demanding investigations into the MCD’s role and legal action against the implicated firm. Yet, without swift enforcement, such pleas echo in the void, underscoring how government-held data-births, deaths, Aadhaar linkages-becomes a commodity in an unregulated bazaar.

The Sanchar Saathi Saga: Surveillance Masquerading as Safety

If my story exposes the sale of data, the Sanchar Saathi app controversy reveals the government’s appetite for hoarding it. Launched in 2023 as a tool to combat cyber fraud by tracking stolen phones via IMEI numbers, the app was thrust into the spotlight on November 28, 2025, when the Ministry of Communications issued a confidential order mandating smartphone makers like Apple, Samsung, and Xiaomi to preload it on all new devices sold in India. Users would be barred from deleting or disabling it, granting the app sweeping permissions: access to call logs, messages, cameras, photos, and network data.

The backlash was swift and seismic. Opposition leaders, including Congress’s Priyanka Gandhi, branded it a “snooping app,” evoking memories of the Pegasus spyware scandal. Privacy advocates warned it could erode the fundamental right to privacy affirmed by the Supreme Court in 2017’s Justice K.S. Puttaswamy verdict. Reuters reported that Apple planned to resist, citing surveillance risks for India’s 730 million smartphone users. Digital rights activist Nikhil Pahwa highlighted the irony: “Due to the amount of data leaked by the government… they are unable to now contain the fraud.” By December 3, amid parliamentary uproar and non-compliance threats from tech giants, Telecom Minister Jyotiraditya Scindia backtracked, declaring the app “voluntary” and removable.

The damage already occurred

The app’s privacy policy openly collected “traffic data” and device information, claiming fraud prevention but inviting misuse. Critics on Reddit hailed the reversal as a “big win for citizens,” yet they revealed a troubling trend: government apps operate as Trojan horses for data aggregation. Sanchar Saathi joined a pattern-remember how the 2023 CoWIN portal breaches during COVID vaccinations exposed personal health data, or how the 2021 Air India leak compromised 4.5 million customers. By 2025, cybercriminals launched over 1.9 million attacks on healthcare alone. Such tools now amplify fears that authorities use “cyber safety” as a code for state surveillance.

The Ecosystem of Exploitation: From Leaks to Lucrative Deals

How does this happen? India’s public data ecosystem—spanning Aadhaar, electoral rolls, health records, and civic registries-is a goldmine for intermediaries. Government institutions, strapped for funds, often outsource digitization to private firms like Pro Digital Bharat Services, which promise “e-services” but deliver data pipelines to marketers. The MCD, for instance, has long battled fraud in birth/death registrations; a 2017 initiative linked them to Aadhaar to curb fakes, yet breaches persist. Touts and “agents” thrive, as seen in the 2016 theft of 20,000 blank certificates from the New Delhi Municipal Council.

Many Recent Cases

Recent news underscores the scale. In July 2025, a LinkedIn post by K. Yatish Rajawat flagged “flagrant misuse of citizen data,” demanding court scrutiny. Broader leaks, like the 2022 Domino’s India breach exposing 180 million users, trace back to lax government oversight. The DPDP Act of 2023, operationalized via November 14, 2025 rules, aims to plug holes with consent-based processing, breach notifications within 72 hours, and penalties up to ₹250 crore. But exemptions for “national security” grant the government unchecked access, sans independent oversight—a flaw decried by DW as enabling surveillance while curbing RTI access and press freedom.

Key Data Breaches Involving Government Institutions (2023-2025)

Incident	Affected Data	Scale	Outcome
CoWIN Portal Leak (2023)	Vaccination records, phone numbers	Millions exposed	Partial fixes; no major prosecutions
Aadhaar Misuse Reports (2024)	Biometrics, addresses	100+ cases flagged	UIDAI fines; ongoing lawsuits
Sanchar Saathi Mandate (Dec 2025)	Device IMEI, call logs	Potential 730M users	Mandate revoked after backlash
MCD Birth Certificate Scams (2025)	Newborn details	Many fraud calls	Waiting for action

This table illustrates the recurring theme: Institutions collect data for public good, but weak enforcement turns it into private profit.

The Human and Societal Toll: Beyond Breaches to Betrayal

For families like mine, the fallout is profound. Newborn data isn’t just administrative-it’s tied to inheritance, healthcare, and identity. Leaks enable scams, or worse: targeted harassment. Economically, cyber fraud cost India ₹1.25 lakh crore in 2024, per RBI estimates, eroding trust in digital services. Socially, it disproportionately hits the marginalized-rural parents without tech savvy, or low-income households reliant on government portals.

Critics argue this stems from a “misdirected” policy framework. The DPDP Rules mandate parental consent for children’s data and data minimization, but with a nascent Data Protection Board (just four members for 1.4 billion people), enforcement lags. As one YouTube analysis noted, the law lacks GDPR-like rights (e.g., data portability) and grants 10 agencies broad monitoring powers.

A Call to Reckoning: Reclaiming Data Sovereignty

India’s data trade thrives in the shadows because accountability does too. I plea-to probe MCD leaks, penalize Pro Digital Bharat, and enforce safeguards-must echo nationally. The Sanchar Saathi U-turn shows public pressure works; imagine channeling it into DPDP audits or mandatory transparency reports. Until then, citizens remain pawns in a game where their privacy is the ante.

Policymakers must close exemption loopholes, empower the Data Protection Board with teeth, and criminalize data sales outright. Tech firms, too, bear responsibility-refusing mandates like Apple’s did. For a Digital India to flourish, it must first be a Private India.

Public Warning: Safeguard Your Data from Government Gatekeepers

Alert: Your Personal Information May Already Be for Sale-Act Now!

Citizens of India, beware: The cradle of your child’s birth certificate, your phone’s IMEI, or your vaccination record could be circulating in private hands, courtesy of leaky government vaults. Recent scandals, like the MCD’s alleged sharing of newborn data with firms such as Pro Digital Bharat Services Pvt. Ltd. and the short-lived Sanchar Saathi app push, signal a crisis. Here’s how to protect yourself:

1. Monitor and Report Intrusions: Received unsolicited messages with your details? Screenshot and report to cybercrime.gov.in or 1930 (cyber helpline). Demand transparency from institutions like MCD—file RTIs on data-sharing policies.
2. Secure Registrations: When registering births/deaths, use official portals only (e.g., crsorgi.gov.in). Avoid third-party “agents”; link to Aadhaar cautiously and enable two-factor authentication.
3. App Vigilance: Uninstall or disable non-essential government apps like Sanchar Saathi. Review permissions—revoke camera/mic access unless vital. Use VPNs for sensitive transactions.
4. Legal Recourse: Under DPDP Rules 2025, demand data erasure or correction from fiduciaries. For breaches, notify the Data Protection Board via its upcoming app. Penalties await violators—invoke them.
5. Community Action: Share stories on platforms like X (e.g., #DataLeakIndia) to amplify pressure. Join digital rights groups for collective advocacy.

Your data is your fortress-don’t let institutions auction it away. Stay vigilant; privacy isn’t a privilege, it’s a right. If breached, act swiftly: The next could be you. For urgent help, contact the National Cyber Crime Reporting Portal immediately.