If your Aadhaar or PAN card data is leaked, you must take three immediate steps to prevent identity theft: First, lock your Aadhaar biometrics using the mAadhaar app or UIDAI website. Second, pull your CIBIL credit report to check for unauthorized loans taken out in your name. Third, be extremely vigilant against incoming calls claiming to be from the police, banks, or telecom operators asking for OTPs to "verify" your leaked documents.
In India, your Aadhaar and PAN cards are the absolute foundation of your financial and legal identity. They are linked to your bank accounts, your mobile number, your mutual funds, and your tax filings.
Unfortunately, large-scale data breaches at hospitals, telecom companies, and private enterprises have led to millions of Aadhaar and PAN details being sold on the dark web. If you suspect your details have been compromised, or if you simply want to secure your identity proactively, you must act fast.
Here is the definitive guide on what to do if your Aadhaar or PAN card data is leaked.
Step 1: Lock Your Aadhaar Biometrics Immediately
If a scammer has your Aadhaar number, they might try to clone your fingerprints (often stolen from property registration documents) to siphon money via the Aadhaar Enabled Payment System (AePS).
You can stop this entirely by locking your biometrics.
- Download the official mAadhaar app or visit the UIDAI website.
- Log in using your Aadhaar number and the OTP sent to your registered mobile number.
- Navigate to the "Lock/Unlock Biometrics" section.
- Enable the lock.
When your biometrics are locked, no one—not even you—can use your fingerprint or iris scan to authenticate a transaction. If you ever need to use your fingerprint (for example, to buy a new SIM card), you can temporarily unlock it via the app for 10 minutes.
Step 2: Check for PAN Card Misuse (Fake Loans)
Scammers frequently use stolen PAN card details and forged Aadhaar cards to take out instant personal loans from digital lending apps. Because the loan is in your name, you will be held responsible, and your credit score will be destroyed when the scammers inevitably default on the payments.
To check if your PAN has been misused:
- Go to a recognized credit bureau website like CIBIL, Experian, or Equifax.
- Request a free annual credit report (you are legally entitled to one free report per year).
- Review the "Active Accounts" or "Loan Inquiries" section carefully.
- If you see a personal loan from an NBFC (Non-Banking Financial Company) or a digital app that you did not authorize, you are a victim of identity theft.
How to fix it: Immediately contact the lending company listed on the credit report, inform them that the loan was taken fraudulently using stolen KYC documents, and demand an investigation. You should also file a formal complaint on the National Cyber Crime Reporting Portal (cybercrime.gov.in).
Step 3: Deactivate Unauthorized SIM Cards
Scammers use stolen Aadhaar details to buy SIM cards, which they then use to run WhatsApp scams, commit financial fraud, or harass people. Because the SIM is registered in your name, the police will knock on your door when the crimes are reported.
To check if fake SIM cards are registered in your name:
- Visit the government's TAFCOP portal (sancharsathi.gov.in/sancharsaathi).
- Enter your active mobile number and OTP.
- The portal will display all mobile numbers registered against your Aadhaar card.
- If you see a number you do not recognize, select it and click "Not my number" or "Not required" to request immediate deactivation.
Step 4: Prepare for "Verification" Phishing Calls
Once scammers have your Aadhaar and PAN details, they will attempt to weaponize them against you via phone calls.
They will call you pretending to be from the CBI, the Reserve Bank of India (RBI), or your bank. They will recite your full name, your date of birth, and your Aadhaar number to prove they are "legitimate." They will then claim that your Aadhaar has been used in a money laundering case or that your bank account is being frozen.
This is the infamous Digital Arrest scam. They will demand that you transfer your funds to a "safe account" or ask for an OTP to "verify your identity."
Remember: Government agencies and banks will never ask for an OTP over the phone, nor will they ask you to transfer money to "clear your name." If you receive a call like this, disconnect immediately.
The AirlockChat Approach: Verification Without Retention
The epidemic of data leaks in India is largely caused by companies storing raw KYC documents (like unmasked Aadhaar cards and PAN cards) on insecure servers. When those servers are hacked, your data is exposed.
At AirlockChat, we believe in a fundamentally different approach: Verification without retention.
We require every user to verify their identity to keep the platform safe from fake profiles and scammers. However, we have engineered our system to be DPDPA-compliant and aggressively privacy-first:
- We Do Not Store Your Document Number: When you verify your identity via DigiLocker, we do not store your full Aadhaar or PAN number. We only store a heavily masked version (e.g.,
XXXXXXXX1234) purely for account recovery purposes. - We Do Not Store Your Address or Biometrics: We only extract the data absolutely necessary to prove you are a real person—specifically, your verified first name.
- Automated Purging: If you delete your AirlockChat account, all associated verification metadata is purged from our systems within 30 days.
We verify that you are real, but we do not hoard the data that makes you vulnerable to identity theft.
Key Takeaways
A data leak is highly stressful, but taking immediate action minimizes the damage. Lock your Aadhaar biometrics via UIDAI, check your CIBIL report for fraudulent loans, and audit your active SIM cards on the TAFCOP portal. Moving forward, only share your KYC documents with platforms that employ strict data masking and comply with India's data protection laws. For daily communication, rely on platforms like AirlockChat that enforce ID verification to keep scammers out, without hoarding the sensitive data that hackers want to steal.