Why That Phone Call Shook Me

Last month I got an Aadhaar-related spam call. Someone on the other end knew my full name, knew my city, and rattled off the last four digits of my Aadhaar. The voice was calm, professional, and used the kind of language you hear from a bank executive or a government officer. He asked me to “confirm the remaining digits for a routine verification linked to my PAN.” I said nothing for about three seconds, then hung up.

I sat on my bed staring at the phone for a while.

The thing that got to me was not the scam itself. I have received dozens of spam calls before, and I know how to deal with them. What got to me was the precision. This person did not guess. He already had my name, my location, and part of my Aadhaar number. He was not fishing blindly. He had real data about me, data I never gave him, and he was using it to try to extract the rest. I keep thinking about where he got those details. A government portal that left beneficiary lists public? A telecom company that got breached? An insurance provider that stored records on an unprotected server? I have handed my Aadhaar card to so many organisations over the years that the list of possible sources is uncomfortably long.

That evening I went down a research spiral. I started reading about Aadhaar breaches, about what actually happens when your data gets out, about who buys this information and what they do with it. Two weeks later, I have not stopped reading, and I am not reassured. I do not know if I am overreacting or underreacting. Both feel possible at the same time, and that is what worries me.

UIDAI has maintained that the “core biometric database” has never been compromised. I have no evidence to dispute that. But my Aadhaar number does not live only in the UIDAI database. It lives with my bank. It lives with Airtel. It lives with the life insurance company I signed up with six years ago. It lives with the mutual fund platform I use. It lives in photocopy form at a hotel in Jaipur that asked for ID when I checked in back in 2020. My Aadhaar sits in at least fifteen or twenty different places that I can remember, and probably several more I have forgotten. Each one of those is a place where a breach could happen, a server that could be misconfigured, an employee who could walk off with a database dump on a pen drive. UIDAI might have world-class security. But the gas cylinder distributor who photocopied my card probably does not.

I keep thinking about this, and the more I dig into the specifics, the more uncomfortable the picture becomes. Not because of any single horrible revelation, but because the whole system relies on hundreds of organisations keeping your data safe, and the weakest link among them determines your actual level of protection. I did not choose most of these organisations. I did not research their security practices before handing over my Aadhaar. I just gave it because it was required, the way everyone does, the way the system demands.

Aadhaar card with data streams leaking into the dark web through cracked shield

More Than Just a Number Gets Exposed

Before I started looking into Aadhaar breaches, I had a simple mental picture: someone gets your twelve-digit number, and that is the leak. Inconvenient, maybe a bit scary, but limited. I was wrong about that. The breaches I read about almost never involve just the number on its own.

When databases leak, they usually spill entire records. Your Aadhaar number comes bundled with your full name, your date of birth, your gender, your residential address, your registered phone number, and often your email address. In several documented cases, the leaked records also included photographs. The 2023 health insurance data breach, where records of around 81 crore Indian citizens were reportedly available for sale, included Aadhaar numbers paired with policy details and medical information. Some of the government portal leaks from earlier years included bank account numbers and IFSC codes alongside Aadhaar details. So what leaks is not a number. It is a profile. A profile complete enough that someone could walk into a bank branch and attempt to open an account pretending to be you.

The biometric angle makes this worse in a way I had not considered. Your fingerprints and iris scans are stored in the UIDAI database, and UIDAI says that data is encrypted and firewalled. Fine. But biometric data also gets captured at the point of use. Every time you authenticate at a bank branch, at a ration shop, at a telecom store, at an Aadhaar enrolment centre, a device captures your fingerprint. The security of that capture device, the software running on it, the network it transmits through, and the local storage where data might be temporarily held before being deleted (if it is deleted at all) are not things I have any visibility into. Are those thousands of biometric capture points across India all running updated software with proper encryption? I would be surprised if they were.

And fingerprints are not like passwords. If your password leaks, you change it. If your fingerprint data leaks, you are stuck with it for life. That single fact keeps running through my head.

Then there is the linking problem. My Aadhaar is tied to my PAN card, my bank accounts, my mobile number, my employee provident fund, my voter ID, my passport application, and my mutual fund investments. A breach at any one of these connection points does not just expose one piece of information. It gives an attacker a thread, and pulling that thread can unravel a lot. With my Aadhaar and PAN, someone can file fraudulent income tax returns. With my Aadhaar and phone number, they can attempt a SIM swap. With my Aadhaar and bank details, they can try to authorise transactions. The cross-linking that makes Aadhaar convenient for legitimate purposes is the same cross-linking that makes a leak so dangerous. That is what worries me about the design of the whole thing.

SIM Swap and Identity Fraud Scenarios

I came across a news report about a software engineer in Bengaluru who lost over 12 lakh rupees in four hours. The sequence was almost mechanical in how simple it was. Attackers had his Aadhaar details from a prior breach. They called his mobile operator, impersonated him using those details, and convinced the company to issue a replacement SIM card. The moment the new SIM activated, the old one in the engineer’s phone went dead. He did not notice right away because it was late at night. By morning, the attackers had received every OTP his bank sent, drained his savings account, and used a fintech lending app to take out a personal loan in his name. The money from the loan was also transferred out before he woke up and realised his phone had no signal.

Four hours. More than twelve lakhs gone. And a personal loan he never applied for, sitting on his CIBIL record, affecting his credit score for months afterward.

I keep thinking about how little the attackers actually needed to pull this off. They did not need to break into the bank. They did not need any specialised hacking equipment. They needed leaked Aadhaar data, a phone call to a telecom customer service representative, and a few hours of patience. The telecom company’s identity verification process, which is supposed to prevent exactly this kind of thing, failed because the callers had enough correct personal details to pass the checks. The checks are only as strong as the secrecy of the information they rely on, and when that information has already leaked from some other database, the checks become almost decorative.

The engineer spent months trying to get the fraudulent loan removed from his credit report. He had to file an FIR, write multiple letters to the lending company, submit an official dispute to CIBIL, and follow up repeatedly. The financial loss was covered eventually through the bank’s fraud resolution process, but the loan on his CIBIL report took far longer to resolve. During those months, his credit score was damaged, which affected his ability to get a home loan he had been planning to apply for.

If your phone suddenly loses signal for no reason — no network, not even after restarting — call your telecom operator immediately from another phone. A SIM swap might be in progress. Minutes matter. Contact your bank as well and request a temporary freeze on all transactions until you verify what happened.

SIM swaps are the dramatic version, but there is a quieter and possibly more common form of fraud that leaked Aadhaar data enables: targeted phishing. When a scammer calls you with a generic script, most people can tell something is off. But when a scammer already knows your full name, your city, the last four digits of your Aadhaar, and maybe even which bank you use, the call sounds entirely different. It sounds like a real call from a real institution.

My father got one of these calls about eight months ago. Someone claiming to be from State Bank of India called him, used his full name, referenced his home branch correctly, and told him there was a “pending KYC update” that would freeze his account if not completed immediately. He was seconds away from sharing his OTP when my mother, who was sitting next to him, said “Just hang up and go to the branch tomorrow.” He hung up. But he told me later that the call sounded completely legitimate to him. He has been banking with SBI for over thirty years. He is not careless. He is not uneducated. The call just sounded so specific and so official that doubting it felt almost rude.

I think about elderly pensioners who get these calls and do not have someone next to them saying hang up. People who grew up in a world where a person referencing your government-issued ID details was, by definition, someone official. People who comply because the caller sounds authoritative and because refusing feels like it might cause trouble. The leaked data makes the scam work not through technical sophistication but through social plausibility. A scammer armed with your real details becomes almost indistinguishable from a genuine bank representative over the phone.

There are also cases of Aadhaar details being used to forge documents. With a leaked photograph, name, date of birth, and Aadhaar number, criminals have created fake voter IDs, fake PAN cards, and fake driving licences. These forged documents then get used to open bank accounts under someone else’s name. The person whose identity was stolen might not find out for months or years, until they apply for something and discover that accounts or loans or legal proceedings exist in their name that they never initiated.

Bank Account Risks When Aadhaar Leaks

My colleague, whom I will call Rohit because he asked me not to use his real name, found out about a loan he never took when his credit card application was rejected last year. The bank told him his CIBIL score was too low because of a defaulted personal loan. He had never taken a personal loan in his life. After pulling his credit report, he found a loan from a fintech lending platform he had never heard of, approved using Aadhaar-based eKYC, disbursed into an account that was not his, and now showing as overdue against his name.

Rohit spent five months fixing this. Five months of police stations, complaint letters, phone calls to the lending company, formal disputes with CIBIL, and follow-ups with the cyber crime cell. Five months for something he had nothing to do with. The loan amount was not even that large, around 40,000 rupees, but the damage to his credit score and the time he spent fighting it were far more costly than the money itself.

The speed of digital lending in India creates a specific vulnerability. Fintech apps that promise loan approval in ten minutes rely heavily on eKYC, which often means Aadhaar-based verification. The convenience that makes it possible for a genuine borrower to get emergency funds quickly also makes it possible for a criminal with leaked Aadhaar data to get a fraudulent loan approved quickly. The same ten-minute process works in both directions, and there is very little friction built into the system to distinguish between the two.

I started asking around after hearing Rohit’s story. A friend of a friend in Pune discovered a bank account had been opened in his name at a bank he had never visited, in a city he had never been to. The account had been used to receive and transfer money in patterns consistent with money laundering. He only found out when he received a notice from the income tax department asking about transactions totalling over 15 lakhs. He had to prove that he did not open the account, did not make the transactions, and was not involved in whatever the money was being used for. The investigation lasted over eight months and involved a lawyer, multiple trips to the bank, and correspondence with both the IT department and the police.

There are documented cases of demat accounts being opened with stolen Aadhaar details and used for stock market manipulation. Insurance claims filed using someone else’s identity. Property registrations attempted with forged documents built on leaked data. Each of these scenarios involves a different kind of damage and a different set of institutions you have to approach to fix it, but they all begin the same way: someone, somewhere, had access to another person’s Aadhaar details and used them without authorisation.

The financial loss is one thing. The time you lose trying to prove you are innocent of something you never did is another thing entirely, and I suspect that second cost is actually worse for most people. You cannot bill anyone for the hours you spent in a police station. You cannot invoice the lending company for the stress of watching your credit score crater. The system treats you as the responsible party until you prove otherwise, and proving otherwise takes months.

Government Response So Far

UIDAI has introduced several security features over the years, and some of them are genuinely useful. The biometric lock feature, which lets you disable fingerprint and iris authentication when you are not actively using it, is probably the single most effective defensive measure available to individual users right now. The Virtual ID system, which generates a temporary 16-digit number you can share instead of your real Aadhaar number, adds another layer of protection. The masked Aadhaar card, which shows only the last four digits, reduces the risk when you have to share a photocopy.

These are good steps. I used all three of them after my research, and I felt marginally safer for having done so. But they share a common limitation: they are all opt-in, and most people do not know they exist.

I asked ten people in my office if they had locked their Aadhaar biometrics. One person had. The other nine did not know the feature existed. I asked my parents and my in-laws. None of them had heard of Virtual ID. These are all people who have smartphones, who use the internet daily, who have bank accounts and PAN cards linked to their Aadhaar. They are exactly the people who need these protections, and none of them were using any of them, not because they are irresponsible, but because nobody told them.

UIDAI’s public communication about these features has been minimal. The mAadhaar app, where you can access most of these settings, has over 100 million downloads on the Play Store, but the average user opens it only to download their Aadhaar card. The biometric lock, the Virtual ID, the authentication history check, and the masked Aadhaar option are buried in menus that most people never explore. I would argue that features this important should be enabled by default, not hidden behind optional settings that require the user to first hear about the feature, then find it, then understand what it does, and then decide to turn it on.

On the regulatory side, the Digital Personal Data Protection Act passed in 2023 was supposed to change the equation. It introduced penalties for organisations that fail to protect personal data, and it included provisions for mandatory breach notification. But the rules under the Act are still being finalised, enforcement mechanisms are still being set up, and the Data Protection Board that is supposed to hear complaints has not yet become fully operational in any meaningful way that affects how companies handle your data day to day.

Meanwhile, the Aadhaar Act itself has limited provisions for individual redress. If your data leaks from a government portal, the process for holding that department accountable is unclear. If a private company that collected your Aadhaar for KYC purposes gets breached, the liability framework is fuzzy. You can file a complaint with UIDAI, you can file an FIR, but the practical chances of getting a resolution through either channel, based on what I have read and the people I have talked to, are slim unless the case gets media attention or involves a very large sum of money.

The gap between what the government has built in terms of security features and what the government has done in terms of holding data handlers accountable is wide. The tools for individual protection exist and some of them are good. But the systemic protections, the regulations and enforcement that would prevent breaches from happening in the first place, are still catching up. I do not know how long that catching up will take. Judging by the pace so far, it could be years.

Person reading about Aadhaar data leak news on laptop with concern

Living With the Uncertainty

After two weeks of reading about all of this, I took a few practical steps. I locked my biometrics through the mAadhaar app. It took about two minutes. I generated a Virtual ID and started using it wherever a service asks for my Aadhaar number. I checked my authentication history on the UIDAI portal and went through every entry for the past year. All legitimate. I pulled my CIBIL report and looked for loans or credit enquiries I did not recognise. Nothing suspicious, which was a relief. I set calendar reminders to check both of these once a month.

I downloaded a masked Aadhaar card, the version that shows only the last four digits, and I now use that whenever anyone asks for a photocopy. Hotels, courier services, the new gym I joined last month. If they push back, I tell them UIDAI provides this format specifically for this purpose. So far, nobody has refused it.

I called my parents and walked them through locking their biometrics too. That took about twenty minutes, mostly because my mother’s mAadhaar app needed an update and her phone storage was full. I helped my father generate a Virtual ID over the phone. Small steps. But they felt better than doing nothing.

The honest truth, though, is that none of these measures address the core problem. My Aadhaar data already exists in databases I cannot access, managed by organisations whose security practices I cannot audit, stored on servers whose configurations I will never know about. I can lock my biometrics going forward, but I cannot undo the hundreds of times my fingerprints were scanned at various authentication points over the past decade. I can use a Virtual ID from now on, but my real Aadhaar number has already been shared with fifteen or twenty different entities over the years. The horse, as they say, has already left the stable.

So I am left in this uncomfortable middle ground where I have done what I can and it does not feel like enough. I check my CIBIL report monthly and wonder each time if this will be the month something shows up. I look at my phone when it briefly loses signal and feel a tiny jolt of panic before it reconnects. I am not consumed by this worry. I still function normally, still go about my day, still use Aadhaar when required because there is no realistic alternative for most government and financial services in India. But there is a background hum of unease that was not there before I started looking into this, and I do not think it is going away.

I keep thinking about that phone call. The one that started all this research. Someone out there had my name and partial Aadhaar and called me like it was nothing. I locked my biometrics, enabled the virtual ID, filed a complaint. But the unease has not gone away. Maybe it should not.