Identity theft — misuse of your Aadhaar or PANSection 66C of the Information Technology Act, 2000 criminalises the fraudulent or dishonest use of any unique identification feature of another person. Read with Section 66D (cheating by personation through a computer resource), the offences regime of the Aadhaar Act, 2016 (Sections 38–40), and the post-Puttaswamy data-protection architecture, it forms the working law for Aadhaar and PAN misuse in 2026. Twelve digits, ten digits, and the law thatprotects them
[ Everyday Law ]

Identity theft — misuse of your Aadhaar or PAN

Section 66C of the Information Technology Act, 2000 criminalises the fraudulent or dishonest use of any unique identification feature of another person. Read with Section 66D (cheating by personation through a computer resource), the offences regime of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the post-Puttaswamy data-protection architecture, it forms the working law for Aadhaar and PAN misuse in 2026.

Identity theft in India sits at the intersection of three statutory regimes whose vocabularies do not entirely overlap. The Information Technology Act, 2000 — through Sections 66C and 66D inserted by the 2008 amendment — supplies the general offence of misusing another's unique identification feature on a computer resource. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 supplies a specialised set of offences (Sections 38 to 40) targeted at the Aadhaar number, the Central Identities Data Repository (CIDR), and the biometric-authentication architecture. The Bharatiya Nyaya Sanhita, 2023 — replacing the Indian Penal Code, 1860 — supplies the traditional crimes of cheating, cheating by personation and forgery in their renumbered form. The constitutional ceiling is the Puttaswamy line: Justice K S Puttaswamy (Retd) v Union of India, (2017) 10 SCC 1, which held informational privacy to be a facet of Article 21, and Justice K S Puttaswamy (Retd) v Union of India, (2019) 1 SCC 1 (the Aadhaar-5J ruling), which upheld the Aadhaar Act subject to reading down Section 57. This piece sets out how the four regimes interact when a victim discovers that her Aadhaar or PAN has been misused — and what the practical route to redress now looks like.

Section 66C IT Act — the identity-theft offence

Section 66C of the Information Technology Act, 2000 reads: "Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh." The drafting is deliberately open-ended. The phrase "any other unique identification feature" was framed in the 2008 amendment to be technology-neutral; it captures Aadhaar numbers, PAN, OTPs, biometric templates, passwords, electronic signatures, and any future authentication token that the technology stack throws up.

The mens rea is dual — the section is satisfied by either "fraudulently" or "dishonestly" using another's identifier. The terms carry their settled meanings from the BNS [IPC] — "dishonestly" being defined in Section 2(7) of the Bharatiya Nyaya Sanhita, 2023 [Section 24 IPC] as causing wrongful gain or wrongful loss, and "fraudulently" in Section 2(11) BNS [Section 25 IPC] as doing a thing with intent to defraud. A person who keys in another's PAN to file a fraudulent income-tax return, who uses a stolen Aadhaar number to open a fake bank account, or who uses a leaked OTP to authenticate a UPI transaction is squarely within Section 66C — the offence is complete on the use, irrespective of whether the downstream fraud has matured into pecuniary loss.

Three features of Section 66C have shaped its practical operation. First, the offence is punishable with imprisonment up to three years and a fine up to one lakh rupees — modest by the standards of organised cyber fraud, and a point that the commentary has consistently flagged as under-deterrent. Second, it is a bailable, cognizable offence — the accused on arrest is entitled to bail as a matter of right under Section 480 of the Bharatiya Nagarik Suraksha Sanhita, 2023 [Section 436 CrPC], which limits its utility as a custodial tool against organised rackets. Third, the section sits within Chapter XI of the IT Act, and the special procedural framework of Section 78 — which mandates investigation by an officer not below the rank of Inspector — applies.

Section 66D and the cheating-by-personation overlap

Section 66D of the IT Act, inserted alongside Section 66C, addresses the related offence of cheating by personation by means of a computer resource: "Whoever, by means of any communication device or computer resource cheats by personating, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees." Where Section 66C punishes the bare misuse of a unique identifier, Section 66D punishes the consequential act of cheating that flows from it. The two are routinely charged together — a phishing operator who collects PANs and Aadhaar numbers and then opens fake accounts to siphon government subsidies attracts both.

The overlap with the general criminal law has hardened since the 2023 Sanhita revision. Section 319 of the Bharatiya Nyaya Sanhita, 2023 [Sections 416 and 419 IPC] continues the offence of cheating by personation in its general form, with imprisonment up to five years; Section 318 BNS [Section 415 read with Section 420 IPC] is the parent cheating offence; Section 336 BNS [Sections 463 and 464 IPC] is forgery. The cyber overlay (Sections 66C and 66D IT Act) and the general overlay (Sections 318, 319, 336 BNS) operate in parallel; the FIR ordinarily invokes all of them and the trial court applies Section 71 BNS [Section 71 IPC] on the bar against double punishment for the same act.

Two doctrinal points are worth flagging. First, the IT Act offences are governed by Section 81 of the IT Act, which gives the IT Act overriding effect over inconsistent provisions of other laws — but in practice, the overlap with the BNS is treated as cumulative, not displacing. Second, a recurring question is whether Section 66D requires the personation to be of an identifiable real person, or whether assuming a fictitious identity to cheat will do. The High Courts have read the section to cover both forms — the gravamen is the cheating, achieved through a computer-resource-mediated pretence; the existence of a real victim of the personation is an aggravator, not an ingredient.

The Aadhaar Act, 2016 — Sections 7, 29 and the disclosure regime

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 supplies the specialised statutory architecture around the Aadhaar number. Section 7 — upheld in Puttaswamy II, (2019) 1 SCC 1 — authorises the Central Government to make Aadhaar authentication a condition for receiving any subsidy, benefit or service for which expenditure is drawn from the Consolidated Fund of India. Section 7 is the gateway provision; everything from PDS to LPG subsidy flows through it. The 2019 Bench in Puttaswamy II, by a 4:1 majority (Sikri J for the plurality; Chandrachud J dissenting), held Section 7 constitutional, while reading down Section 33 (judicial-order disclosure) and striking down Section 57 in the form in which it permitted private parties to demand Aadhaar authentication.

The disclosure regime in the Aadhaar Act is the front line of the data-protection question. Section 29 prohibits the sharing of core biometric information and restricts the sharing of identity information except in accordance with the Act and the regulations. Section 33, as read down by the 2019 majority, permits disclosure pursuant to an order of a court not below the rank of a High Court Judge, after hearing the Aadhaar number holder. Section 33A — inserted by the 2019 amendment to address the post-Puttaswamy infirmities — provides for voluntary use of Aadhaar with offline verification. Section 34 governs disclosure in the interest of national security, subject to an oversight mechanism. Sections 35, 36 and 37 round out the disclosure architecture by penalising unauthorised disclosure with imprisonment that may extend to three years and a fine.

The offences regime — Sections 38 to 47 — is the criminal heart of the Aadhaar Act. Section 38 punishes unauthorised access to the Central Identities Data Repository with imprisonment up to ten years and a fine of not less than ten lakh rupees. Section 39 punishes tampering with data in the CIDR with similar punishment. Section 40 punishes unauthorised use of identity information by a requesting entity. Section 42 is a residuary penalty provision. Section 47 is the procedural restriction that cognizance of an offence under the Act can be taken only on a complaint made by the UIDAI or an authorised officer — a provision that the Delhi High Court and others have read narrowly to preserve the victim's parallel route under the IT Act and the BNS.

Section 7 also operates as the statutory anchor for the PAN–Aadhaar linkage. The Income-tax Act, 1961 (Section 139AA, inserted by the Finance Act 2017) makes Aadhaar quoting mandatory for PAN application and income-tax return filing — a requirement upheld in Binoy Viswam v Union of India, (2017) 7 SCC 59 on Article 14 and Article 19 grounds, with the Article 21 challenge held over for the larger Bench in Puttaswamy. The 2019 ruling subsequently sustained the linkage. The practical consequence is that a PAN-misuse fact pattern almost always implicates Aadhaar simultaneously — the demographic seed for most PAN frauds is the linked Aadhaar database.

The Puttaswamy constitutional anchor

The constitutional framework for Aadhaar misuse is supplied by two Supreme Court rulings. Justice K S Puttaswamy (Retd) v Union of India, (2017) 10 SCC 1, by a unanimous nine-judge Bench, recognised the right to privacy — including informational privacy — as a facet of Article 21 read with the dignitarian content of Articles 14 and 19. The judgment laid down the three-fold proportionality test for any state action that interferes with informational privacy: legality (a law authorising the action), legitimate aim (a State interest of sufficient importance), and proportionality (a rational nexus between the means and the aim, the absence of a less restrictive alternative, and a fair balance between rights and the State interest).

Justice K S Puttaswamy (Retd) v Union of India, (2019) 1 SCC 1 — the Aadhaar-5J ruling — applied the Puttaswamy proportionality test to the Aadhaar Act and held that the Act, as a whole, passed muster. The majority (Sikri J, joined by Khanwilkar and Bhushan JJ, with A K Sikri authoring) upheld Sections 7 and 8 (authentication architecture); read down Section 33 (judicial-order disclosure) to require a High Court Judge and prior hearing; struck down Section 57 to the extent it permitted body corporates and individuals to demand Aadhaar authentication for the establishment of an identity; held Section 47 (UIDAI as exclusive complainant) constitutional but observed that it does not bar victims from invoking the IT Act and the BNS [IPC]; and held the passage of the Aadhaar Act as a Money Bill under Article 110 valid. The Chandrachud J dissent — declaring the Aadhaar Act ultra vires on Money Bill grounds and on the deeper privacy-architecture infirmity — is widely treated by the academic and judicial commentary as the more rigorous reading, but is not the operative law.

For an identity-theft victim, the constitutional layer matters in three ways. First, the three-fold Puttaswamy test means that any private actor (bank, fintech, telecom) that requires Aadhaar authentication outside the four corners of Section 7 read with the post-2019 framework is on weak ground — the strike-down of Section 57 has been treated by the High Courts as a continuing constitutional restraint. Second, the proportionality test informs the writ jurisdiction of the High Courts under Article 226 — a petition for mandamus against a private actor that has demanded and mishandled Aadhaar data has constitutional purchase. Third, the Puttaswamy I privacy framework supplies the doctrinal anchor for the forthcoming Digital Personal Data Protection Act, 2023 regime, which is being progressively notified through 2025–2026 and which will eventually displace large parts of the IT Act-era data-handling framework. Shreya Singhal v Union of India, (2015) 5 SCC 1 — though decided on the Section 66A free-speech question — supplies the wider IT Act constitutional vocabulary and is cited in this domain for its broader pronouncements on the legitimate scope of internet-specific offences.

The redress route — UIDAI grievance, FIR under BNSS Section 173, and the parallel civil claim

The redress architecture for an Aadhaar or PAN misuse victim runs in three parallel tracks. None is sequential; a careful victim invokes all three on the same day.

Track one is the UIDAI grievance redressal mechanism. The Aadhaar (Authentication) Regulations, 2016 and the Aadhaar (Sharing of Information) Regulations, 2016 require the UIDAI to maintain a grievance-handling channel; the 1947 helpline and the help@uidai.gov.in mailbox are the consumer-facing entry points. The UIDAI's "lock biometric" facility — accessed through the mAadhaar app or the UIDAI portal — allows the holder to immediately freeze biometric authentication, which is the single most effective stop-loss measure when biometric misuse is suspected. The "authentication history" feature on the UIDAI portal allows the holder to retrieve the audit log of the last six months of authentication transactions — the foundational evidence for any subsequent complaint. The Income-tax Department's e-filing portal performs the equivalent function for PAN; a "PAN grievance" can be lodged through the portal and the National Securities Depository Limited (NSDL) channels.

Track two is the criminal complaint. The FIR is registered with the local police station having territorial jurisdiction under Section 173 of the Bharatiya Nagarik Suraksha Sanhita, 2023 [Section 154 CrPC]. The offences invoked are typically Sections 66C and 66D of the IT Act read with Sections 318, 319 and 336 of the Bharatiya Nyaya Sanhita, 2023 [Sections 415, 416, 419, 463 and 464 IPC]. Where the misuse is of the Aadhaar number itself, Sections 38 to 40 of the Aadhaar Act are added — though the Section 47 bar on cognizance (only on UIDAI complaint) is a recurrent procedural complication, addressed by parallel intimation to the UIDAI. The investigating officer must be of the rank of Inspector or above (Section 78 IT Act). Where the matter has a financial dimension, the National Cybercrime Reporting Portal (cybercrime.gov.in) supplies a complementary intake route that is mirrored to the local cybercrime cell.

Track three is the civil-and-regulatory claim. The Aadhaar holder has a Section 43A IT Act claim — civil damages by way of compensation — against any body corporate that has been negligent in implementing reasonable security practices in handling sensitive personal data. The Reserve Bank of India's "Master Directions on Customer Service" and the "Limited Liability of Customers in Unauthorised Electronic Banking Transactions" Circular (2017) cap the customer's liability where the unauthorised electronic transaction was on account of a third-party breach, subject to time-bound intimation. The banking ombudsman channel, the Insurance Regulatory and Development Authority (IRDAI) grievance route, and the Telecom Regulatory Authority of India (TRAI) channels supply sector-specific overlays. A writ petition under Article 226 of the Constitution is available where a State authority or instrumentality has been complicit in the misuse — the Puttaswamy proportionality framework supplies the standard.

A practical roadmap — what to do within seventy-two hours

The seventy-two-hour window after the discovery of Aadhaar or PAN misuse is doctrinally the most important. Three statutory limitation points cluster within it — the RBI three-day intimation window for zero-liability under the 2017 Circular, the seventy-two-hour anti-evidence-destruction window that informs the cyber forensic practice, and the practical fact that authentication audit trails on the UIDAI portal are most reliably retrievable while the misuse is recent.

Step 1 — Lock the biometric and freeze the financial exposure. Through the mAadhaar app or the UIDAI portal, invoke the "lock biometric" feature; this prevents any further fingerprint or iris authentication. Simultaneously, intimate the affected bank (in writing, retaining acknowledgement) of the unauthorised transaction; the three-day clock under the RBI 2017 Circular runs from the date of the unauthorised transaction or the date of intimation, whichever is later — and the customer's zero-liability protection depends on it.

Step 2 — Retrieve the authentication audit log. Through the UIDAI portal's "Aadhaar Authentication History" feature, download the six-month authentication log. This is the foundational documentary evidence — it shows the AUA (Authentication User Agency) that initiated each authentication, the type of authentication (biometric, OTP, demographic), and the timestamp. For PAN, the Income-tax e-filing portal's "View Form 26AS" and "Annual Information Statement" provide the audit trail of transactions reported against the PAN.

Step 3 — Lodge the FIR under Section 173 BNSS [Section 154 CrPC]. Approach the local police station of jurisdiction or the cybercrime cell. The complaint should invoke Sections 66C and 66D of the IT Act and Sections 318, 319 and 336 BNS [Sections 415, 416, 419 and 463 IPC], and, where Aadhaar misuse is alleged, Sections 38, 39 and 40 of the Aadhaar Act, 2016 read with Section 47. If the SHO refuses to register the FIR, the remedy under Section 173(3) BNSS [Section 154(3) CrPC] is to escalate to the Superintendent of Police, followed by a Section 175 BNSS [Section 156(3) CrPC] application to the Magistrate. Lalita Kumari v Government of Uttar Pradesh, (2014) 2 SCC 1 holds that registration of an FIR is mandatory where the information discloses a cognizable offence, and the Section 173 BNSS framework carries this principle forward.

Step 4 — Mirror the complaint to the National Cybercrime Reporting Portal. File a parallel complaint at cybercrime.gov.in. The portal is mirrored to the local cybercrime cell of the State, and the complaint number is admissible as proof of intimation for subsequent insurance, banking and consumer-forum claims. The portal also triggers the "1930" cyber-financial-fraud hold mechanism for unauthorised transactions reported within the "golden hour".

Step 5 — Intimate the UIDAI. A written complaint to the UIDAI through the 1947 helpline, help@uidai.gov.in, or the Resident Grievance portal, attaching the FIR copy and the authentication audit log. The intimation is necessary to trigger any Section 47 prosecution under the Aadhaar Act and to align the UIDAI's own investigation with the police FIR.

Step 6 — Issue notices to the affected entities. Demand letters under Section 43A IT Act to any body corporate that has handled the Aadhaar or PAN data, asking for the security-practices audit and the breach-disclosure logs. These letters are the predicate for a Section 43A claim for damages before the Adjudicating Officer under the IT Act (where the claim is up to five crore rupees) or the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) above that threshold.

Step 7 — Consider the constitutional remedy. Where the misuse involves a State authority, a public-sector bank, or an instrumentality of the State, a writ petition under Article 226 of the Constitution before the relevant High Court is available — invoking the Puttaswamy I informational-privacy framework and the proportionality test. The writ is preventive (a mandamus for biometric lock, for blocking specific authentication transactions) and remedial (a direction for an inquiry, compensation, and disciplinary action).

Open questions and unresolved doctrinal tensions

Three doctrinal questions remain genuinely unresolved in 2026 and any careful piece in this area has to acknowledge them.

The first is the relationship between Section 47 of the Aadhaar Act and the victim's direct right of access to criminal process. Section 47(1) provides that no court shall take cognizance of any offence punishable under the Aadhaar Act save on a complaint made by the UIDAI or any authorised officer. The Karnataka and Delhi High Courts have read Section 47 to bar only Aadhaar-Act-specific prosecution, leaving IT Act and BNS prosecution available to the victim through the ordinary FIR route. The position has not been authoritatively settled by the Supreme Court, and a few orders of other High Courts have read Section 47 more broadly. A Supreme Court reference, when it comes, will determine whether an Aadhaar-misuse victim has a direct route to invoke Sections 38 to 40 of the Aadhaar Act or whether she must channel the complaint through the UIDAI.

The second is the proportionality of Section 33 in its post-read-down form. The 2019 majority required that disclosure under Section 33 be ordered by a High Court Judge after hearing the Aadhaar holder. The mechanics of that hearing — whether it is an inter-partes hearing in chambers, whether the State has a right of reply, whether the standard of disclosure is "reasonable suspicion" or "prima facie satisfaction" — has been developed case-by-case in the High Courts, and the practice diverges. A unifying judgment is overdue.

The third is the interface of the Aadhaar Act with the Digital Personal Data Protection Act, 2023, which is being progressively notified through 2025–2026. The DPDP Act creates a horizontal data-protection framework that overlaps with — but does not displace — the Aadhaar Act's vertical, identifier-specific framework. Whether the Data Protection Board under the DPDP Act will have concurrent jurisdiction over Aadhaar-misuse complaints, or whether the Aadhaar Act will continue as a self-contained regime, is a question that will be answered through early DPDP Act jurisprudence over the next few years.

Section 66C of the IT Act, drafted in 2008 in the contemplation of password and electronic-signature misuse, is now the working law for one of the most heavily litigated cyber offences in India. Its three-year ceiling and bailable character are the standing complaints. The Aadhaar Act overlay supplies the architecture that the IT Act framers could not have foreseen — a unique-identifier database of 1.3 billion records, with biometric authentication baked into the welfare state. The Puttaswamy line supplies the constitutional discipline that holds the architecture together. For the victim of an Aadhaar or PAN misuse, the working law is the composite of all three — invoked in parallel through the redress tracks described above, with no track left unworked.