The Unique Identification Authority of India (UIDAI) and the Indian Computer Emergency Response Team (CERT-In) are looking into possible leak of Aadhaar data from a few websites, and the government may also take action against such entities, sources told Moneycontrol.

"UIDAI and CERT-In are looking into the issue. They will take action against erring entities if violation is found," a senior government official said.

This comes as it was found that a simple Google search -- "index of Aadhaar card" -- returned results, which listed out websites that were hosting citizens' Aadhaar details. One can simply click on these websites to access complete details of citizens' Aadhaar.

Websites such as Indian Aerospace and Engineering, a Navi-Mumbai based institute which focuses on aircraft maintenance engineering, was one of the websites that was still leaking such Aadhaar data as on 12 pm, September 26.

The Star Kidz, an e-platform focusing on kids' development, too was leaking Aadhaar details until September 25. The concerned URL in question has now been deactivated, Moneycontrol finds. The publication has reached out to both these establishments in question, and the article will be updated when a response is received.

The issue was first highlighted on social media by Debarghya Das, a venture capitalist at Menlo Ventures.

The security of Aadhaar data has long been a concern. Although the Aadhaar system incorporates multi-layered security measures, it has faced criticisms and legal challenges related to data privacy. In 2018, the Supreme Court of India upheld the constitutional validity of Aadhaar but also limited its mandatory use, citing privacy concerns.

The recent Aadhaar data leaks come at a crucial time as India has introduced the Digital Personal Data Protection (DPDP) Act in 2023, which outlines stringent penalties for mishandling personal data. The act is yet to be implemented.

Under the DPDP Act, entities found violating data protection norms may face fines of up to Rs 250 crore, depending on the severity of the breach.

The Act places significant responsibility on data fiduciaries (organisations handling personal data) to ensure adequate safeguards, particularly for sensitive information like Aadhaar.

With the upcoming DPDP Rules set to further clarify operational aspects, including data retention, consent, and breach reporting, institutions leaking such information could be subject to strict enforcement actions.

While the DPDP Act awaits implementation, under the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, any entity found mishandling sensitive personal data, including Aadhaar numbers, could face strict penalties.