Protean eGov: A Letter to the Board (Stdout)

This is the third post in an ongoing series. The first was published anonymously. The second named the company. This one is a formal notice to their Board of Directors.

I’ll get to the letter. First, I need to tell you how it was delivered, because the delivery is part of the story.

They blocked me

On May 7, 2026, I sent the letter below to cs@proteantech.in — the Company Secretary address published by Protean eGov Technologies Limited as their formal corporate correspondence channel. Indian company law requires listed companies to maintain this contact. It bounced.

554 5.7.1 : Recipient address rejected: BLOCK-SEND-ER.

I tried ir@proteantech.in — their published Investor Relations address. Same result.

554 5.7.1 : Recipient address rejected: BLOCK-SEND-ER.

Both addresses rejected my email at the server level. Not a spam filter. Not a full mailbox. A deliberate rejection rule.

I then sent the same letter from a different email address. It went through.

Protean eGov Technologies Limited, the company that has been routing Indian citizens’ identity data to my personal email for two years, that ignored every private contact attempt, that was personally notified by me and read the message, has specifically blocked my ability to contact them.

I want to be precise about what this means. Somewhere inside Protean eGov, someone who handles email infrastructure knows my address. They didn’t fix the misconfiguration that sends me citizens’ data. They blocked the person reporting it.

The letter

What follows is the formal notice I sent to the Board of Directors of Protean eGov Technologies Limited on May 7, 2026. It was delivered via an alternate address after the company’s published corporate channels rejected my email.

To the Board of Directors, Protean eGov Technologies Limited:

My name is Joe. I am a software architect and cybersecurity practitioner based in the United States. I am writing to formally notify the Board that your company has been routing sensitive operational data, including Indian citizens’ personal information, to a personal email address I own, and has done so for approximately two years.

I have made every reasonable effort to resolve this privately. This letter is a record of those efforts, their outcomes, and the obligations that remain unmet.

The issue

At some point prior to May 2024, Protean eGov registered a Gmail address it does not own or control as an operational contact within its systems. That address is mine. Since then, I have received:

Eleven Citibank India payment advices containing transaction references and partial banking details for payments made to Protean eGov. The most recent three arrived on May 6, 2026.
Seventy-three PAN application tokens generated by citizens submitting applications through your portal — forty-three of which arrived within a single morning.
Corporate invoices addressed to Protean eGov.
Internal Security Operations Centre ticket notifications, with my address embedded as a recipient in your incident management system.
Direct correspondence from citizens who believe my address is an official Protean eGov contact, including government ID numbers and personal documents.

Prior notification

May 24, 2024: I notified Citibank India directly. No response.
April 29, 2025: I notified Protiviti India after receiving misdirected tax documents. No corrective action.
~July 2025: I submitted a report through Protean eGov’s website contact form. No response.
September 17, 2025: I messaged your CTO, Dattaram Mhadgut, on LinkedIn. The message was read. No response was given.

Every channel I had access to was used. Every attempt was ignored.

Regulatory complaints

On March 16, 2026, I filed simultaneous complaints with:

CERT-In: as an active security incident under the IT Act. CERT-In responded the same day and received a comprehensive evidence package. Investigation is active.
The Income Tax Department: regarding Protean eGov’s authorization to process PAN applications under these conditions.
The Reserve Bank of India: against Citibank India for continuing to transmit confidential payment data to an unverified recipient after explicit notification.

The data is still arriving

On May 6, 2026, fifty-one days after the regulatory complaints were filed, and over seven months after your CTO was personally notified, three new Citibank India payment advices arrived at my email address. The underlying misconfiguration has not been corrected.

Legal exposure

I am not your legal counsel and this is not legal advice. I note the following for the Board’s awareness:

The Digital Personal Data Protection Act 2023 and DPDP Rules 2025 classify Protean eGov as a Data Fiduciary. Breach notification to the Data Protection Board is mandatory without delay, followed by a detailed report within 72 hours. Failure to notify carries penalties of up to ₹200 crore. No such notification has been made to my knowledge.
IT Act 2000, Sections 43A and 72A, establish civil compensation liability and criminal liability for negligent handling of sensitive personal data.
CERT-In’s 2022 directive mandates breach reporting within six hours of awareness for entities in your category.

Your CTO’s documented awareness dates to September 17, 2025. The regulatory clock has been running since then.

What I am asking

Correct the email misconfiguration.
Notify the Data Protection Board of India of this breach.
Notify affected citizens that their PAN application data, personal documents, and correspondence were sent to an uncontrolled third-party address.
Confirm to me in writing that these steps have been taken.

Public record

This matter is documented in two previous public posts:

This letter is the third entry in that series. The complete evidence package remains available to any regulatory body that requests it.

I have not opened, used, or distributed the data I have received.

Respectfully,

Joe Software Architect & IT Security wolf-solutions.dev

This is the third post in an ongoing series. I will continue to update as the situation develops.