The Government of India has blocked multiple websites found to be exposing sensitive information, including Aadhaar and PAN card details of Indian citizens. This action, initiated by the Ministry of Electronics and Information Technology (MeitY), is part of an ongoing effort to prevent unauthorized access to personal data and to strengthen the country's data security framework. The crackdown comes amid growing concerns about the security of personal information in an increasingly digital world.

The primary reason for blocking these websites stems from their involvement in violating Section 29(4) of the Aadhaar Act, 2016. This section explicitly prohibits the public display of Aadhaar numbers and related information. The Unique Identification Authority of India (UIDAI), which manages the Aadhaar system, took immediate action by filing an official complaint with the police against these websites. The exposure of such sensitive data raised alarm bells about the potential misuse of citizens' personal information, including identity theft, fraud, and other cybercrimes.

In response to this breach, the Indian Computer Emergency Response Team (CERT-In), a government agency responsible for handling cybersecurity threats, conducted a thorough investigation. The investigation revealed several vulnerabilities within the compromised websites, which made them susceptible to unauthorized access and data leaks. As a result, CERT-In promptly provided the website owners with detailed instructions to rectify these security flaws and enhance their information and communication technology (ICT) infrastructure.

To prevent similar incidents from recurring, CERT-In issued comprehensive guidelines aimed at ensuring the secure design, development, implementation, and operation of IT applications. Organizations that handle sensitive data are expected to adhere to these guidelines to prevent unauthorized access and protect personal information.

In addition to the immediate action taken, CERT-In has also issued directives under the Information Technology (IT) Act, of 2000, outlining specific security practices and procedures that organizations must follow to prevent cyber incidents. These directives require organizations to report any data breaches promptly.

The IT Act, of 2000, serves as a crucial legislative framework for regulating cybersecurity in India. It empowers the government to take decisive actions against entities that fail to comply with security standards.

MeitY has emphasized the importance of adhering to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules mandate that sensitive personal data must not be disclosed publicly or shared without proper authorization. They establish a robust framework for the secure handling of personal data.

If individuals believe their data has been compromised, they have the right to file complaints with Adjudicating Officers, who are appointed IT Secretaries in each state. These officers possess the authority to impose penalties and award compensation to affected parties under Section 46 of the IT Act.

In addition to existing laws and regulations, the Indian government has introduced the Digital Personal Data Protection Act, of 2023, to further boost data protection in the country.

The rules under the Digital Personal Data Protection Act, of 2023, are currently in the final stages of drafting and are expected to be enforced soon. Once implemented, they will provide clear guidelines on how personal data should be collected, processed, stored, and shared.

To ensure widespread awareness and understanding of these new regulations, the government has launched an awareness campaign targeting citizens, businesses, and government entities. This campaign is designed to inform them about their responsibilities when handling personal data.