Big crackdown on PAN details unauthorised use! The Indian Cybercrime Coordination Centre (I4C), operating under the Union home ministry, has directed the cessation of unauthorized usage of Indian citizens’ Permanent Account Numbers (PAN) by financial technology companies and other consumer tech firms, informed sources told ET.

The government is taking stringent action against technology companies’ unauthorized handling of personal data as it moves forward with implementing the Digital Private Data Protection Act, 2023 (DPDP).

“This was known as a ‘Pan enrichment’ service, which would help loan distribution companies create a profile of their customers against their Pan numbers, for cross sell of credit and other financial products,” said a top executive at a fintech firm on the condition of anonymity.

“Sometimes this data was also used to cross check the details put in by the customer in his or her application form,” he added.

Recent weeks have seen disruptions in these services as government intervention has led to the closure of many unauthorized operations, according to reliable sources.

Based on information from three industry experts, numerous firms accessed customers’ personal information, including full names, addresses, phone numbers, and other details by utilizing their PAN numbers through Income Tax department’s backend systems. One executive highlighted that PAN numbers’ connection to consumer credit scores made it particularly valuable data.

This practice, while not a data breach, represented unauthorized access to Income Tax department’s backend infrastructure, which technology service providers maintain.

“There has been no disruption in the authorised service which is through the National Securities Depository (NSDL), where they do not share any personal data against the Pan number but just says whether the details provided match with their database,” the executive added.

Several industry sources indicated that this unauthorized service was widely used by various financial entities, including consumer lending platforms, loan sourcing channels, direct sales agents, and credit aggregators, though identifying specific companies is challenging as these practices were part of their internal operations.

An executive mentioned earlier suggested these actions align with the government’s broader initiative to eliminate unauthorized access to Indian citizens’ Personal Identifiable Information (PII), which will be examined thoroughly after data protection rules are implemented.

Under the DPDP Act of 2023, businesses must obtain proper consent and use authorized channels when processing citizens’ information.

“After the Supreme Court judgement on Aadhaar, the rules around access to this database had gotten codified and formalised; now the government will crackdown on every unauthorised access to any government database,” the executive said.

Industry experts acknowledge that while the restrictions may cause operational challenges, they believe this will ultimately help organizations align their systems with upcoming stringent data protection regulations.