Identity Theft (Digital) is the fraudulent or dishonest use of another person's electronic signature, password, or any other unique identification feature — including biometric data, Aadhaar number, PAN, or login credentials — without authorisation, to impersonate or gain access to their digital accounts, services, or resources. Under Indian law, it is a criminal offence under Section 66C of the Information Technology Act, 2000, punishable with imprisonment up to 3 years and a fine up to Rs 1 lakh, and is a cognizable, bailable, and compoundable offence.
Legal definition
The Information Technology Act, 2000 provides a specific provision for identity theft:
Section 66C — Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
The scope of "unique identification feature" has been interpreted broadly by courts to include:
- Passwords and PINs for banking, email, and social media accounts
- One-time passwords (OTPs) obtained through deception
- Biometric data (fingerprints, iris scans) linked to Aadhaar
- Electronic signatures under the IT Act
- Digital certificates and encryption keys
- Aadhaar numbers, PAN numbers, and other government-issued digital identifiers
Additionally, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 provides specific penalties for identity theft involving Aadhaar data under Sections 35 and 36 — imprisonment up to 3 years and a fine up to Rs 10,000.
How courts have interpreted this term
K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]
The nine-judge bench of the Supreme Court, in declaring privacy a fundamental right, observed that informational privacy — including the right to control one's personal data and digital identity — is a core component of the right to privacy under Article 21. The judgment provides the constitutional framework for protecting digital identity, holding that the state must ensure adequate safeguards against misuse of personal data and identity information.
Syed Asifuddin v. State of Andhra Pradesh [(2005) — AP High Court]
The Andhra Pradesh High Court held that the misuse of electronic serial numbers (ESN) and mobile identification numbers (MIN) to reprogramme mobile phones constitutes identity theft under the IT Act. The Court recognised that unique electronic identifiers are the digital equivalent of personal identity and their misuse for impersonation or fraud falls squarely within Section 66C.
Reserve Bank of India v. Jayantilal N. Mistry [(2016) 3 SCC 525]
While primarily concerning transparency in banking, the Supreme Court's observations on the importance of protecting financial identity data have been cited in identity theft prosecutions. The Court emphasised that financial institutions hold identity and account information as fiduciaries and must take adequate measures to prevent unauthorised access and misuse.
Why this matters
Digital identity theft is among the fastest-growing cybercrimes in India, driven by the digitisation of financial services (UPI, mobile banking), government services (Aadhaar-linked services, DigiLocker), and social interactions (social media, messaging). The consequences for victims extend beyond financial loss — stolen identities can be used to take out loans, file fraudulent tax returns, commit crimes in the victim's name, or cause reputational damage through impersonation on social media.
For individuals, the most common vectors for identity theft include phishing attacks, SIM swap fraud (where criminals port the victim's phone number to a new SIM), data breaches at service providers, social engineering through customer care impersonation, and skimming devices at ATMs. The proliferation of Aadhaar as a universal identifier creates particular risks, as compromise of Aadhaar biometrics affects all linked services.
For organisations processing personal data, the Digital Personal Data Protection Act, 2023 imposes obligations to implement reasonable security safeguards. A data breach leading to identity theft may attract penalties up to Rs 250 crore under the DPDP Act in addition to prosecution under the IT Act. The DPDP Rules, 2025 further prescribe breach notification requirements.
For legal practitioners, identity theft cases often involve multiple offences under the IT Act (Sections 43, 66, 66C, 66D), the BNS (Sections 318, 319 for cheating), and potentially the Aadhaar Act, PMLA (if proceeds are laundered), and the DPDP Act. Establishing the chain of digital evidence and obtaining Section 65B certificates for electronic records are critical procedural requirements.
Related terms
Parent concept:
Related offences:
Related data protection:
Frequently asked questions
How do I report digital identity theft in India?
File a complaint on the National Cyber Crime Reporting Portal (cybercrime.gov.in) or call the helpline 1930. Also file an FIR at the nearest police station — Section 66C is a cognizable offence. For Aadhaar-related identity theft, contact UIDAI's helpline (1947) and lock your Aadhaar biometrics through the mAadhaar app or the UIDAI portal. Notify your bank and telecom provider immediately.
What is the punishment for identity theft under Indian law?
Section 66C of the IT Act prescribes imprisonment up to 3 years and a fine up to Rs 1 lakh. If the identity theft is used for cheating, Section 318 BNS (formerly Section 420 IPC) adds imprisonment up to 7 years. For Aadhaar-related identity fraud, Sections 35-36 of the Aadhaar Act prescribe imprisonment up to 3 years and a fine up to Rs 10,000. Multiple offences can be charged simultaneously.
Can I lock my Aadhaar to prevent identity theft?
Yes. UIDAI provides a biometric locking facility through the mAadhaar app and the UIDAI website. When locked, your biometrics cannot be used for authentication — this prevents misuse even if biometric data is compromised. You can temporarily unlock biometrics when needed for authentication and re-lock them afterward. Additionally, you can generate a Virtual ID (VID) for authentication purposes instead of sharing your actual Aadhaar number.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.