In a stark warning issued in Ahmedabad, cybersecurity experts have revealed that your personal information, sold for a mere few rupees on illicit online markets, is the primary fuel for creating sophisticated digital clones used in fraud. The alarming details were shared during the 'Hacked 2.0' session organized by TOI and the National Forensic Sciences University (NFSU) at the Gujarat Chamber of Commerce & Industry (GCCI), hosted by the Jain International Trade Organisation (JITO).
The Cheap Commodity: Your Identity for a Few Rupees
The session, titled 'Navigating Digital Personal Data Protection Act Compliance and Deepfake Phishing', painted a grim picture of the digital threat landscape. Kritarth Jhala, Senior Scientific Officer at NFSU's Centre of Excellence in Digital Forensics, explained that basic details like your name, mobile number, birthdate, and email ID are raw materials for artificial intelligence systems. "Cybercriminals acquire your basic personal information for a pittance on the grey market," Jhala stated. "They use it to build deepfake clones that can then bypass authentication checks or deceive your staff. A few rupees' worth of stolen data can ultimately cause financial losses amounting to thousands or even millions."
Experts outlined a direct chain of consequences stemming from seemingly minor data leaks. They pointed out that many breaches occur because companies hoard unnecessary customer data, fail to encrypt it properly, or neglect regular security audits. These oversights create vulnerabilities that criminals exploit to craft convincing deepfakes for phishing and financial scams.
The DPDP Act 2023: A Shield with Teeth
The discussion heavily emphasized the Digital Personal Data Protection (DPDP) Act 2023 and the rules notified in November 2025 as the critical legal framework to counter this threat. Rajdeep Ghosh, Assistant Professor of Law (Forensic Justice & Policy) at NFSU, warned that only strict adherence to this law can minimize the risk. "Non-compliance can invite fines of up to Rs 250 crore," Ghosh cautioned.
He clarified that the Act's scope is extensive, covering any data that can identify a person, including digitized paper records. Its protection rests on seven pillars of privacy: identity, online actions, communications, networks, opinions and emotions, movements, and sensitive personal data. Ghosh detailed the three key roles introduced by the Act: the data principal (the individual), the data fiduciary (the entity processing the data), and the consent manager—a registered intermediary that helps individuals manage their consent.
For Significant Data Fiduciaries (SDFs), such as government bodies and large corporations, the requirements are even stricter. They must appoint a data protection officer based in India, conduct impact assessments before launching new services, and undergo independent security audits. "Core principles include fairness, transparency, and limiting the use of collected data to the intended purpose," Ghosh said. "If I provide my email for a receipt, they cannot use it to send marketing messages." The law also mandates prompt breach notifications to affected individuals and the DPDP Board within 72 hours.
How Deepfakes Work and How to Protect Yourself
Kritarth Jhala demystified the technology behind the threat, explaining that deepfakes are powered by Generative Adversarial Networks (GANs). He described this as a "relentless digital duel between two AIs," where one network generates the fake audio or video and another refines it until it can pass as authentic, even in a live interaction.
For individuals, Jhala offered crucial advice: enable two-factor authentication on all critical accounts using trusted authenticators. He also highlighted that the DPDP Act mandates that grievance requests must be resolved within 90 days, a challenging timeline for large organizations. The overarching message from the experts was clear: "Security has to be designed in from Day 1" to curb emerging threats like politically motivated deepfakes and financial fraud.
The event served as a crucial reminder for both businesses and individuals in Ahmedabad and across India that in the digital age, protecting personal data is not just about privacy but is a fundamental requirement for financial and social security.
