May 22, 2026: A detailed responsible disclosure document claims that RBI UDGAM portal designed to help users search for unclaimed bank deposits — exposed highly sensitive depositor information including:
-
- Full residential addresses
-
- Bank affiliations
-
- Dormant account linkage
-
- Potentially even minor-related records
Author: Avinash Jain | EQMint Exclusive
India’s banking regulator may be facing one of the most serious privacy questions linked to public financial infrastructure in recent years.
And according to the report, the issue directly contradicted the portal’s own documented privacy model.
The core problem was not just data exposure. It was trust architecture failure
RBI UDGAM portal was specifically designed around something called the UDRN (Unclaimed Deposit Reference Number).
The RBI’s own framework described UDRN as a privacy-preserving identifier that should ensure: “the account holder or the bank branch cannot be identified by any third party.”
But the disclosure claims the portal’s API response returned:
-
- Full depositor names
-
- Exact home addresses
-
- Bank names
-
- Dormant deposit references
That effectively defeated the entire privacy purpose behind the UDRN system.
The report describes it bluntly: the platform returned both the privacy-preserving identifier and the identity information it was meant to protect.
The exposed combinations create real-world fraud risks
This is not just a technical issue.
The report outlines how the exposed data combinations could enable:
-
- Highly believable scam calls
-
- KYC-grade identity fraud
-
- SIM swap attacks
-
- Loan fraud attempts
-
- Physical stalking risks
-
- Targeting of elderly depositors and NRIs
One especially alarming observation involved a record marked “MINOR,” implying that a child’s residential address and banking linkage may also have been exposed.
Under India’s Digital Personal Data Protection Act, child-related data receives heightened legal protection. That makes the issue even more sensitive.
The screenshots make the situation look worse
The report includes screenshots of API responses and portal search results allegedly showing:
-
- Full address fields
-
- House numbers
-
- Localities
-
- Cities
-
- State-level details
-
- Linked bank names
And importantly, the documentation repeatedly notes that the official UDGAM user manual only described the expected output as:
-
- Name
-
- Place
-
- Bank name
-
- UDRN
Not full residential addresses.
That mismatch between documentation and runtime behaviour is becoming one of the biggest concerns raised in the disclosure.
My analysis: this is bigger than a single portal bug
That’s the real story here. India is rapidly building centralized digital financial infrastructure:
-
- Aadhaar-linked systems
-
- Banking aggregation layers
-
- Public financial portals
-
- Unified digital identity ecosystems
But centralization also increases blast radius.
A privacy failure inside a regulator-operated financial platform carries far greater trust implications than a normal startup breach because users assume regulator systems are designed with the highest security standards.
And honestly, this disclosure highlights a larger weakness across many Indian digital systems: privacy architecture is often designed properly at policy level, but implementation discipline at API level remains inconsistent.
The report itself describes the issue as:
“an over-inclusive API response returned one field too many.”
That single sentence may summarize one of the biggest cybersecurity problems in modern digital governance. Not dramatic hacks. Just one extra field exposed at scale.
For more such information visit EQMint
Join our Whatsapp channel for timely updates: Whatsapp
