root@wolf-solutions:~$ whoami
root@wolf-solutions:~$ cd /whoami/stdout root@wolf-solutions:~$ cd /whoami

stdout

Protean eGov: Two Years of Silence

4/27/2026 12 min

In March, I wrote about an unnamed company leaking citizens’ data to my inbox. I deliberately withheld the name. I’d filed regulatory complaints, I wanted to give the system a chance to work, and I believe in responsible disclosure.

That was six weeks ago. I had decided that if nothing changed in six weeks, I would name them publicly. However, almost immediately after filing my complaints, the PAN tokens stopped arriving, and I received no further communications from any party. I was willing to let the matter rest and give the system time to work.

Then, this morning, I received another Citibank India payment advice addressed to them, routed to my personal Gmail.

The name is Protean eGov Technologies Limited (formerly NSDL e-Governance Infrastructure Limited). They are the responsible party. It’s time you knew that.

Two years. Eight payment advices from Citibank India. 73 PAN tokens with attachments. Indian tax documents meant for Protean eGov. Indian citizens sending me their PII because they believe my email address is an operational contact for Protean eGov. Indian businesses sending invoices to Protean eGov. Internal security operations centre notifications from Protean eGov. Three regulatory complaints. One CTO who read my LinkedIn message and said nothing. Zero fixes.

Who is Protean eGov?

Protean eGov Technologies Limited is a government-authorized processor of critical identity infrastructure in India. They operate as:

  • The primary processor of PAN (Permanent Account Number) applications — the tax identity number required for every financial transaction in the country
  • A registrar for Aadhaar, India’s biometric identity system covering over a billion citizens
  • The central recordkeeping agency for the National Pension System

They are not a startup. They are not a small vendor. They are a load-bearing pillar of India’s digital public infrastructure, processing the identity data of hundreds of millions of citizens. Their clients include Citibank, and their oversight comes from the Income Tax Department, SEBI, and the Reserve Bank of India.

What they’ve been sending me

At some point — I can trace it back to at least mid-2024 — Protean eGov registered a Gmail address they don’t own as an operational contact email.

Mine.

Since then, I have received:

  • Citibank India payment advices containing transaction references, INR amounts, and partial banking details for payments made to Protean eGov by corporate clients. Eight of these. The first arrived May 24, 2024. The most recent arrived today, April 27, 2026.
  • Corporate invoices from clients like GHCL Textiles, explicitly addressed to Protean eGov, with financial attachments.
  • PAN application tokens generated by real citizens submitting real applications through Protean’s official portal. On March 16, 2026, I received 43 of these in a matter of hours. Forty-three real people, applying for government-issued tax IDs, whose confirmation emails went to a stranger in the United States.
  • Internal Security Operations Centre ticket notifications — from Protean eGov’s own security team — with my address embedded as a CC recipient in their internal incident management system.
  • Direct emails from citizens submitting personal requests, including full government ID numbers, acknowledgement numbers, and personal documents, because they believed my address was an official Protean eGov contact.

Their own SOC was CC’ing me on security tickets. The team whose job is to catch exactly this kind of failure had my email address baked into the infrastructure.

Every channel. Every attempt. Every silence.

I didn’t start with a blog post. I started with quiet, direct outreach. Here’s the full timeline.

May 24, 2024 — The first Citibank payment advice arrives. I reply directly to Citibank India the same day, informing them I am not the intended recipient and that confidential financial data is being sent to an uncontrolled personal email address.

No response. The emails continue.

April 29, 2025 — I reply to Protiviti India after receiving tax documentation addressed to Protean eGov through my inbox, warning them that their communications are reaching an unintended foreign recipient.

No corrective action.

Date unknown (I believe around July), 2025 — I use Protean eGov’s own website contact form to report the issue.

No response.

September 17, 2025 — I message Protean eGov’s CTO, Dattaram Mhadgut, directly on LinkedIn. I explain the situation clearly: his company’s systems are routing sensitive data — including citizens’ identity applications — to my personal email. I ask him to fix it.

He reads the message. LinkedIn shows me that much. He never responds.

March 16, 2026 — 43 PAN application tokens arrive in a few hours. I’m done being quiet.

March 16, 2026 — I file formal complaints simultaneously with three Indian regulatory bodies:

  1. CERT-In (India’s national cybersecurity authority) — filed as an active, ongoing security incident under the IT Act. CERT-In responds the same day requesting evidence. I provide a comprehensive package: screenshots of PAN tokens, SOC tickets, payment advices, invoices, citizen PII, and the full timeline of ignored outreach. PGP-signed exchange.
  2. Income Tax Department — filed regarding Protean eGov’s authorization to process PAN applications. The department logs it as a grievance, then immediately marks it “resolved” by directing me to call Protean eGov’s customer care line. The company I’m reporting. The company that has ignored every contact attempt for two years.
  3. Reserve Bank of India — filed against Citibank India for continuing to send confidential payment data to an unverified recipient after being explicitly notified.

March 17, 2026 — I file a formal dispute with the Income Tax Department over their circular dismissal, attaching redacted evidence and referencing the active CERT-In investigation.

March 17, 2026 — The PAN token emails stop. No explanation. No notification. Just silence.

March 21, 2026 — I publish an anonymized blog post documenting the situation without naming the company. I share it on LinkedIn.

April 27, 2026 — Today. Another Citibank India payment advice arrives in my inbox. Addressed to Protean eGov. Same format. Same data exposure. Same email address they were told about two years ago.

Nothing was fixed. The PAN tokens may have stopped, but the underlying misconfiguration — the one that started all of this — is still active.

What the law says

This isn’t ambiguous.

India’s Digital Personal Data Protection Act 2023 (DPDPA), with its implementing DPDP Rules fully notified in November 2025, places unambiguous obligations on organizations processing citizens’ personal data. As a government-authorized processor of PAN applications and Aadhaar registrations, Protean eGov is a Data Fiduciary under the Act.

The DPDP Rules mandate specific minimum controls: access controls, encryption, logging, monitoring, and continuity measures. Routing citizens’ identity application tokens and PII to an unverified third-party email address for years does not meet that bar.

Upon becoming aware of a personal data breach, a Data Fiduciary must notify the Data Protection Board of India without delay, followed by a detailed report within 72 hours. They must notify affected individuals promptly and in plain language. Failure to notify carries penalties of up to Rs 200 crore (~$24M USD).

Protean eGov’s CTO read my LinkedIn message on September 17, 2025. That is a documented point of awareness. No notification was made to the Data Protection Board. No notification was made to affected citizens.

The IT Act 2000 applies independently. Section 43A establishes compensation liability for negligent handling of sensitive personal data. Section 72A creates criminal liability for unauthorized disclosure. CERT-In’s 2022 directive, applicable to government-adjacent service providers, mandates breach reporting within six hours of becoming aware. Non-compliance carries imprisonment and fines.

Why I’m naming them now

I gave Protean eGov two years of good faith. Direct contact with their bank. Direct contact with their auditor. Direct contact with their CTO. Their own contact form. Three regulatory complaints. An anonymized blog post. Six weeks of waiting after the regulators were engaged.

Today’s payment advice is the answer. Nothing changed. The misconfiguration that has been leaking data since at least May 2024 is still active in April 2026.

Responsible disclosure is not just a principle I follow — it’s one I enforce within my own organization. I understand the value of giving companies time and space to fix mistakes before they become public. But responsible disclosure is a two-way contract. It requires the disclosing party to be patient, and it requires the receiving party to act. When the receiving party ignores every channel for two years, the contract is void.

I don’t know how many Indian citizens’ data has passed through my inbox. I haven’t opened most of it. I haven’t used any of it. But the fact that I could have — that anyone with access to that Gmail account could have — should concern every one of those citizens.

They still don’t know. That still bothers me more than anything else about this.

What happens next

This post is the named follow-up to my original anonymized disclosure. Both posts are a matter of public record now.

I’m making this available to cybersecurity journalists and publications. Not because I want attention, but because two years of private outreach and five weeks of regulatory process have produced exactly one result: another payment advice in my inbox.

If you are a citizen of India who has applied for a PAN through Protean eGov’s portal, you should know that your application confirmation may have been sent to an email address the company does not control. You were not notified. You were not told. I’m telling you now because nobody else will.

If you are a regulator reading this: CERT-In has the evidence. The Income Tax Department has the grievance. The RBI has the complaint. The CTO was personally notified seven months ago. The documented trail is complete.

If you are Protean eGov: fix the email. Notify the affected citizens. Report the breach to the Data Protection Board. You’ve had two years. The five-minute fix is still waiting.

This is the second post in an ongoing series. The first post was published anonymously on March 21, 2026. I will continue to update as the situation develops.

More stdout logs live in the archive.

root@wolf-solutions:~$ cd /whoami/stdout