The fragile shield: India’s test of data security resilience

In June 2024, Indonesia’s Temporary National Data Centre (PDN 2) was targeted by a ransomware attack that encrypted over 200 public services. The attackers, using a LockBit 3.0 variant known as Brain Cipher, demanded a USD 8 million ransom. Immigration systems froze, healthcare subsidies were delayed, and school certificates could not be issued. For weeks, every day, services were inaccessible, and confidence in digital governance was shaken.

What unfolded in Jakarta should not be dismissed as a distant crisis. Similar failures have already surfaced across the world. In 2023, a government misconfiguration in Bangladesh exposed the personal details of more than 50 million citizens.

In the Netherlands in 2024, records of 63,000 police officers were leaked, putting those responsible for public safety at risk. In Finland in 2020, the breach of the Vastaamo psychotherapy centre led to patients being blackmailed with their most private confessions. Similarly, in the United States, the 2015 breach of the Office of Personnel Management compromised the security clearance files of 5.6 million federal employees, an intelligence windfall for adversaries.

India’s Identity Exposures at Scale

India itself has not been spared. Several Aadhaar-related incidents have already revealed the dangers of managing identity at scale. In January 2018, reporters were able to purchase unauthorised credentials online for a nominal fee, which allowed them to query the Aadhaar database and retrieve names, addresses, photos, and phone numbers in plain text. That same year, poorly secured public-sector websites and APIs exposed data linked to more than 130 million citizens.

The problem has only grown.

On 9 October 2023, a Breach Forums user, calling themselves pwn0001, advertised what they claimed was an 815 million-record database of Aadhaar and passport details. The post listed fields such as names, phone numbers, Aadhaar numbers, passport numbers, addresses, districts, pincodes, and states, and even attached a sample of 100,000 records in plain text CSV format.

The advertisement described the dataset as 90GB, leaked in September 2023, and “never sold before.” Researchers later confirmed that at least some of the samples contained valid Aadhaar numbers and citizen details.

The same claim resurfaced repeatedly. In early March 2024, another actor using the alias markflaus posted the same “815 million” Aadhaar and passport database. In late July 2025, a poster calling themselves "joe-goldberg" made a similar offer, followed by "rofoy2984lu" in early August 2025.

Not every post is authentic—some may be duplications or scams—but the repetition matters. Once even a portion of such a dataset leaks, it circulates permanently across forums, torrents, and Telegram channels. Each new post becomes a test of whether oversight or missed vulnerabilities remain.

Plain Text Data: A Systemic Weakness

What is especially concerning is that much of the data appears in plain text. While UIDAI has consistently maintained that biometric data is encrypted, demographic and linked identity data have allegedly been stored or transmitted without strong encryption in some systems and third-party databases.

If Aadhaar numbers, addresses, and phone numbers had been correctly encrypted at rest, in transit, and in use, the leaked files would not have been directly readable. Instead, the samples being traded look like ordinary spreadsheets, line by line, making them immediately useful for fraud and identity theft.

This reality requires a change in mindset: defenders must assume that a breach will occur. Threat actors are already probing, and some have already gained entry. Under this assumption, hygiene is no longer optional. Encryption by default, strict access controls, and continuous monitoring are essential guardrails that limit the damage even when attackers gain entry.

Taken together, global and Indian incidents demonstrate that data breaches are no longer limited to scattered leaks or stolen credit cards. They are systemic shocks. They damage governance, erode public trust, and tilt the balance of national security. In Indonesia, a ransomware infection paralysed state functions. In Finland, therapy notes became weapons of coercion. In Washington, personnel files turned into an espionage goldmine. In India, Aadhaar-related exposures demonstrate that national identity can also become a national liability if its protection is inadequate.

Building Resilience for Civic Lifelines

Moving forward, India must rethink its approach. Data infrastructures like Aadhaar, UPI, DigiLocker, and GSTN are civic lifelines, no less critical than power grids or highways. Protecting them requires more than firewalls. It requires continuity planning so that services can recover quickly under attack, mandatory breach disclosure to prevent incidents from being hidden, and proactive intelligence to monitor dark web forums and Telegram channels, where stolen credentials and phishing kits are often posted long before deployment.

Architecture matters as well. Estonia’s reforms following its 2007 cyberattack demonstrate how distributing government data across secure nodes and backing up databases abroad reduces dependence on single points of failure. India can adapt similar models. Equally important is the human layer: many breaches begin with reused passwords, misconfigured servers, or poorly trained administrators. Cyber hygiene must become as basic a civic skill as literacy and numeracy, taught to students, officials, and kiosk operators alike.

Above all, data security is about trust. Citizens expect their identities, financial records, and medical histories to be safeguarded. When that trust is broken, the harm lingers long after systems are patched. Finns whose therapy notes were leaked, US officials whose background files were stolen, or Indians whose Aadhaar numbers now circulate online may never feel fully secure again.

Sovereignty in the twenty-first century is not defined only by territory or military might, but by control over data and the ability to defend it. The breaches of the past decade are not accidents; they are signals. For India, they serve as a lesson: data security is national security.

The choice is not whether breaches will happen—they already have. The choice is whether India will build the resilience, the intelligence, and the hygiene to withstand them. A digital future without secure data is fragile. Protecting it is not optional. It is essential.

The author is the Founder and CEO of PygmalionGlobal. He collaborates with multiple cybersecurity companies, including NPCore in South Korea, and engages with government agencies and conglomerates across Asia.