What has the NPCI found on the TrueCaller security breach? We write to them asking just that.

The NPCI began an investigation on the TrueCaller security breach that occurred on July 30, 2019. We write to them to enquire on the insight and outcomes of the investigation.

18 October, 2019
1 min read


  • Background:  On August 1, 2019, we wrote to the National Payments Corporation of India (NPCI) indicating concern and also suggested a few points of action with regard to the TrueCaller security breach that occured on July 30, 2019. Within no time, we received a response that an investigation was being conducted on the issue.
  • New update: With almost two months since the incident, we thought it was necessary to check-in with the NPCI to enquire about the action and outcomes taken after the security breach.


On 30.07.2019, media reports and various user complaints brought to light an issue that caused the automatic registration of unified payments interface (UPI) based IDs of Truecaller users without their knowledge and consent. We wrote to NPCI indicating concern and suggesting immediate and intermediate action (read more) and they informed us of two steps they took in response, firstly, that they had stopped onboarding new Truecaller users on the UPI Platform and secondly, that they started an investigation on the incident.

Keeping us in the loop

Not to talk their ears off (and yours), we basically asked them to provide information on insights and the outcomes of their investigation. Its important that the public be made aware of the reason for this security breach especially as it pertains to their own data. This also brings a level of accountability to platforms like TrueCaller to ensure that put the rights and protection of individuals first.

Additionally, we reiterated two of our previous interim steps that indicated the need for a complaint redressal mechanism and the importance of architecture documentation in the public space to enable concerned individuals identify vulnerabilities.

Links to important documents

  • Follow-up representation to the NPCI dated 14.10.2019 (link)
  • Response by NPCI dated August 6, 2019 (link).
  • True (caller) or False (caller)? We ask NPCI to answer this question (link).
  • Representation to the NPCI dated 1.08.2019  (link)

Would you like to get updates on our work? Become a IFF member!

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Delhi High Court directs government to submit affidavit confirming lack of written records in Aarogya Setu’s development

Updates on Saurav Das’ writ petition before the Delhi High Court, where he is contesting the Central Information Commission’s decision to withhold information related to Aarogya Setu.

4 min read

Supreme Court refers challenge to constitutionality of sedition law to a larger Bench of at least 5 judges

Noting that the past cases under Section 124-A will not be affected on account of introduction of new Bills, a 3-judges bench of the Supreme Court led by the CJI has referred the petition challenging the constitutionality of Section 124-A to a larger Bench of at least 5 judges

5 min read

Shooting down bad ideas: Our response to TRAI’s consultation paper on OTT Regulation and Selective Banning

TRAI released a consultation paper on OTT regulation and selective banning. In our response, we expressed our view against the licensing and registration as well as selective banning of OTT communication services. See the post to read our detailed comments.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!