When Your Inbox Becomes Someone Else's Problem (Stdout)

Somewhere around 2024, my inbox started getting interesting.

Not interesting in a good way. Interesting in a “why am I receiving payment advices from a major international bank addressed to an Indian tech company” way. Bank transaction references. INR amounts. Partial account numbers. All addressed to a company I’d never heard of, all landing in my personal Gmail.

I assumed it was a typo. A one-time thing. I replied to the bank, told them I wasn’t the intended recipient, and moved on.

The emails kept coming.

The company in question is a government-authorized processor of national identity infrastructure in India. I’m deliberately not naming them yet. More on that at the end. Their mandate is not small: they handle applications for government-issued tax identity numbers used in every financial transaction in the country, operate as a registrar for the national biometric identity system, and serve as the central recordkeeping agency for the national pension system. They are a critical node in India’s digital public infrastructure. The data of hundreds of millions of citizens flows through them.

And for reasons I still don’t fully understand, they registered a Gmail address they don’t own as an operational contact email.

Mine.

What started arriving

Payment advices from a major international bank, containing transaction references, payment amounts, and partial banking details — on behalf of corporate clients paying this company
Invoice documents from those corporate clients, explicitly addressed to the company, with financial attachments
Government identity application tokens, generated by real citizens submitting real applications through the company’s official portal, routed to my inbox instead of theirs
Internal Security Operations Centre ticket notifications, from the company’s own security team, with my address embedded as a CC recipient in their internal incident management system
Direct emails from citizens submitting personal requests — including full government ID numbers, acknowledgement numbers, and personal documents — because they believed my address was an official company contact

That last one keeps me up at night. Those people have no idea their identity application data went to a stranger on the other side of the world.

I tried to fix it quietly.

Multiple times, over years.

I contacted the bank. No response; the emails continued. I contacted corporate clients whose communications were landing in my inbox, warning them they were sending sensitive financial and tax documents to an unintended foreign recipient. No corrective action. I used the company’s own contact form to report the issue. I reached out directly to the company’s CTOChief Technology Officer — Executive responsible for technology strategy on LinkedIn — he read the message, I can see that much — and never responded.

Years passed. The emails kept coming.

I want to be clear: I was patient. I gave this company every reasonable opportunity to fix an embarrassing but correctable mistake quietly, without any of this becoming public. That window is closed.

This week broke me.

Suddenly, earlier this week, a new system was turned on. Clearly. Because I received 43 — yes, FORTY-THREE — government identity application tokens in a matter of a few hours. Forty-three real people, submitting real applications for government-issued tax IDs, whose confirmation emails went to me instead of them. That’s not a misconfigured email address anymore. That’s an active, ongoing data breach affecting real citizens trying to interact with their own government.

I’m done being quiet about it.

What the law says

This isn’t just embarrassing. It’s illegal. Specifically and clearly.

India’s Digital Personal Data Protection Act 2023 (DPDPA), with its implementing Rules fully notified in November 2025, places unambiguous obligations on any organization that processes citizens’ personal data. As a government-authorized processor of identity applications, this company is a Data Fiduciary under the Act, the full weight of its obligations apply.

Those obligations include:

Reasonable security safeguards — The DPDP Rules mandate specific minimum controls: access controls, encryption, logging, monitoring, and continuity measures. Routing citizens’ identity application tokens and PIIPersonally Identifiable Information — Data that can identify an individual to an unverified third-party email address for years doesn’t meet that bar by any interpretation.

Mandatory breach notification — Upon becoming aware of a personal data breach, a Data Fiduciary must notify the Data Protection Board of India without delay, followed by a detailed report within 72 hours. They must also notify affected individuals promptly in plain language. The penalties for failing to notify are up to ₹200 crore (~$24M USD). I’ve been receiving this company’s citizens’ data for years. At what point did they become “aware”? Their CTOChief Technology Officer — Executive responsible for technology strategy read my LinkedIn message in September 2025. That seems like a reasonable point of awareness.

The ITInformation Technology — Broad term for computing infrastructure and services Act 2000 is also still in play. Section 43A establishes compensation liability for negligent handling of sensitive personal data. Section 72A creates criminal liability for unauthorized disclosure of personal information. And CERTComputer Emergency Response Team — Organization coordinating vulnerability responses-In’s 2022 directive, which applies directly to government-adjacent service providers, mandates breach reporting within six hours of becoming aware of an incident. Non-compliance carries imprisonment and fines.

Here’s the part that really gets me: this company’s own Security Operations Centre ticket notifications were landing in my inbox. Their security team — the people whose job it is to catch exactly this kind of thing — had my email address baked into their internal incident management system as a CC recipient. That’s not a misconfigured contact form. That’s a systemic failure embedded in the infrastructure that’s supposed to prevent systemic failures.

What I did about it

When years of polite outreach get you nothing, you go regulatory. I identified the agencies with actual jurisdiction and filed formal complaints simultaneously: no window to quietly fix one thread while ignoring the others.

CERTComputer Emergency Response Team — Organization coordinating vulnerability responses-In (India’s national cybersecurity authority) — filed as an active, ongoing security incident under the ITInformation Technology — Broad term for computing infrastructure and services Act. The SOC ticket detail was the sharp edge here: this isn’t a misconfigured public-facing email, it’s embedded in their internal security operations.

The Income Tax Department — they’re the authority that licenses this company to process PAN applications in the first place. Leaking citizens’ application tokens to a foreign national goes directly to whether they should hold that license.

The Reserve Bank of India — aimed at the bank whose automated systems have been sending me confidential payment data for years, after I explicitly told them in writing that they had the wrong person.

All three filed the same day. All three referencing the same documented evidence trail.

Why I’m writing this

Partly because I’m frustrated and I’ve been sitting on it for too long.

But mostly because this is a pattern that repeats everywhere, and it’s worth talking about. The actual security failure here isn’t the misconfigured email address. Changing an email address is trivial. It’s a five-minute fix. The failure is organizational. Nobody with the authority to fix it took the repeated, documented warnings seriously enough to act. The CTOChief Technology Officer — Executive responsible for technology strategy read my message. The bank got my reply. The corporate clients got my notification. Nobody moved.

That’s always the real vulnerability. Not the technical misconfiguration, but the culture that lets it sit there for years because fixing it isn’t anyone’s priority.

I don’t know how many Indian citizens’ government identity data has passed through my inbox at this point. I haven’t opened most of it. I haven’t used any of it. But the fact that I could have — that anyone with access to that Gmail account could have — should concern every one of those citizens if they knew.

They don’t know. That bothers me more than anything else about this.

What’s happening now

This is a living post. I’m updating it as the regulatory process unfolds. What started as a simple blog post has become the real-time record of what happens when you try to get a government-authorized company to stop leaking citizen data.

Complaint timeline

March 16 — Filed simultaneously with three regulators.

CERTComputer Emergency Response Team — Organization coordinating vulnerability responses-In (India’s national cybersecurity authority): Filed as an active security incident under the ITInformation Technology — Broad term for computing infrastructure and services Act. Within hours — the same day — they responded requesting evidence. I provided a comprehensive package: screenshots of PAN tokens, the SOC ticket, bank payment advices, corporate invoices, citizen PIIPersonally Identifiable Information — Data that can identify an individual, and the full timeline of ignored remediation attempts. PGPPretty Good Privacy — Encryption program for email and files-signed exchange. Investigation is active.
Income Tax Department: Filed regarding the company’s authorization to process PAN applications. The complaint was logged as a grievance, then immediately “resolved” — without being read — by directing me to call the company’s own customer care line. The company I’m reporting. The company I have repeatedly tried to contact already. A complaint about a data breach, dismissed by telling me to phone the non-responsive company that’s breaching data. Nice.
Reserve Bank of India: Filed against the bank whose automated systems have been sending me confidential payment data for years. Pending response.

March 17 — Dispute filed with the Income Tax Department.

After their circular dismissal, I filed a formal dispute as a direct reply, attaching redacted evidence screenshots and referencing the active CERTComputer Emergency Response Team — Organization coordinating vulnerability responses-In investigation. The message was clear: this is not a customer service issue. This is a data protection failure by an entity you license.

Pending response.

March 17 — The PAN tokens stopped.

For two straight days after filing, PAN token emails continued to arrive. Then, abruptly, they stopped. No notification from the company. No confirmation from CERTComputer Emergency Response Team — Organization coordinating vulnerability responses-In that action was taken. Just silence where identity documents used to land.

Whether the broader data leak — payment advices, invoices, corporate filings — has also stopped remains to be seen.

The company’s name isn’t in this post. Yet. If and when it needs to be, it will come with receipts.

I’ll keep updating this post as the situation develops, and may file a full follow-up post later. Check back.