Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Top 4 Recent Data Breaches in India (2024)

1. Boat Data Breach(April, 2024)

Forbes India reported a personal data leak of 7.5 million boAt customers, including names, addresses, phone numbers, email addresses, and customer IDs. The security breach, disclosed by hacker ShopifyGUY, occurred on April 5 and was shared on a dark web forum, exposing users to risks like financial fraud and identity theft.

Rakesh Krishnan of NetEnrich stated the hacker accessed the personal data well before it appeared on the dark web, at least a month ago. Yash Kadakia, founder of Security Brigade, noted that personal data is available on some forums for eight credits (around two euros) and may soon be free on Telegram, posing risks of phone and email scams.

2. Indian Telecom Data Breach (Jan 2024)

Cybersecurity researchers have discovered a massive global database of 26 billion leaked records. According to Forbes it is likely the largest security breach to date, and rightly dubbed the “Mother of all Breaches”. Bob Dyachenko of Security Discovery and the Cyber news team claim to have discovered the 12-terabyte breach database containing sensitive information from sites like Twitter, Dropbox and LinkedIn, Chinese platforms like Tencent and Weibo, and other platforms like Adobe, Canva, and Telegram.

The leaked personal data includes numerous username and password combinations. While much of it is recycled from past breaches, the presence of these credentials poses a significant threat.

3. Aadhaar Data Leak (Oct, 2023)

Resecurity, a US-based cybersecurity firm, reported that the personal information of 815 million Indians was leaked on the dark web. This personal data included names, phone numbers, addresses, Aadhaar, and passport information, with the entire breach database being sold for $80,000 by a threat actor named ‘’pwn0001’.

The Central Bureau of Investigation (CBI) was investigating the breach. There were suggestions that the personal data may be from the Indian Council of Medical Research (ICMR) database.

This breach has been a major setback for the government’s digitization efforts, which rely on Aadhaar and other digital infrastructures.

4. Covid-19 Data Breach(Oct 2023)

The Covid-19 test data, of over 81 crore Indians, had allegedly been leaked and put up for sale on the dark web. This breach database was held with the Indian Council of Medical Research (ICMR). An American cybersecurity agency discovered the breach, which includes names, addresses, phone numbers, and Aadhaar numbers. The security breach was also advertised on X (formerly Twitter) by the hacker.

The hacker reportedly shared spreadsheets with one lakh records of personal information of Indian residents. The ICMR had also alerted the Indian Computer Emergency Response Team (Cert-In). However, it’s unclear if ICMR systems were breached or if there was another source.

How could One Prevent these, Breaches?

These recent data breaches tell us that the need to safeguard the personal data of your customers is more urgent than ever. Here’s what each organization must do:

1. Training Employees: Companies can ensure employees know how to prevent personal data leaks by creating strong passwords, regularly updating them, reporting suspicious activities, and understanding various types of scams.
2. Updating Processes: Regularly refining data security procedures and maintaining clear guidelines can help highlight the importance of data security.
3. Remote Monitoring: An in-house IT team or a hired IT agency can monitor systems and maintain data security.
4. Data Backup and Recovery: Implementing automated remote personal data backup systems can help recover data in case of breaches.
5. Destroying Before Deletion: Companies should completely dispose of old, unnecessary records to prevent data trail.
6. Using the Latest Software: Keeping all security tools updated helps effectively deal with new threats.
7. Encrypting Data: Companies should use end-to-end encryption for emails and Wi-Fi networks.
8. Hiring an Expert: Employing specialists can help handle complex threats from hackers.

Safeguarding Users' Personal Data Under India's Privacy Law - DPDP Act, 2023

India’s Digital Personal Data Protection Act (DPDPA) outlines key rules and standards that help protect personal data of individuals handled/processed by organisations. Data Fiduciaries (entities responsible for determining how and why personal data is processed) are responsible for safeguarding individuals’ personal data.

Any business managing personal data in India needs to understand these duties and obligations.

Data Fiduciary's Duty

Under the Digital Personal Data Protection Act (DPDPA), a data fiduciary is any entity that determines the purpose and means of processing personal data. This includes organisations of all sizes that handle personal data impacting Indian citizens.

1. Data fiduciaries must ensure the security and confidentiality of customer information held by data processors. Staff access should be limited to necessary functions only.

2. Data processors must isolate and identify each data fiduciary’s customer information, with strong safeguards like encryption to prevent mixing personal data from different entities.

3. Data fiduciaries should monitor data processors’ security practices and require disclosure of any security breaches or incidents. They must notify the Data Protection Board of India and affected individuals if a personal data breach occurs.

4. Cybersecurity incidents must be reported to CERT-In within a reasonable time frame of detection. Data fiduciaries must be notified by data processors about any security breaches or personal data leaks as soon as possible.

Penalties for Failure to Comply

All Data Fiduciaries must comply with the Digital Personal Data Protection (DPDP) Act. Not following the provision or rules can lead to hefty fines, depending on the severity of the violation.

The need to get consent from a verified parent or guardian can create logistical challenges for personal data handlers because there’s no way to determine the user’s age, especially for e-commerce sites and social platforms.

What will the Data Protection Board of India (DPBI) do about breaches that happened after Aug 2023?

Once the Data Protection Board is established under the DPDPA 2023, it may investigate past data breaches that occurred after the act was enacted. Here’s what could happen:

1. Training Employees: Companies can ensure employees know how to prevent personal data leaks by creating strong passwords, regularly updating them, reporting suspicious activities, and understanding various types of scams.
2. Retroactive Penalties: The DPDPA 2023 could penalise past breaches that occurred after its enactment in August 2023. Failure to comply may lead to severe legal consequences.
3. Guidance and Remediation: Organisations might need to take steps to fix past breaches and align their practices with the new regulations.
4. Strengthened Future Compliance: To avoid future breaches and penalties, organisations will need to comply with the new rules, demonstrating improved personal data protection measures.
5. Enhanced Monitoring: The Board is likely to increase monitoring to prevent similar breaches under the new regulatory framework.

The Digital Personal Data Protection Act 2023, is not just a set of rules; it’s a government mandate. Compliance requires a comprehensive framework with policies, regular audits, and assessments.

That’s where DPDP Consultants come in. Our team of privacy experts can guide you automate consent, DPIAs and grievance redressal to simplify compliance and personal data management.

• The DPDPA  program, helps organisations understand how the Digital Personal Data Protection Act 2023, will affect all parts of the organisation.
• The  offered as a SAAS model, ensures valid consent, automating personal data consent requests and establishing a robust system for tracking and handling such requests within companies.
• For existing contracts, ensures alignment with DPDP specifications, necessitating revisions when necessary.
• They also provide comprehensive  establishing internal audit frameworks for regulatory alignment.
• They assist in conducting DPIAs to assess and mitigate risks in personal data processing. Their  tool automates the process, allowing concerned individuals/DPOs to conduct DPIAs through a user-friendly platform. It tracks identified risks and ensures all concerned are informed about mitigation progress.
• The tool enables data principals to raise their rights through a user-friendly platform, accessed manually or automatically by Data Protection Officers/concerned persons. This reduces response time and ensures compliance.
• They offer a training program to educate staff on the new regulation, ensuring DPDP Act compliance. Their  enables regular and mandatory awareness sessions, followed by assessments, ensuring every employee understands the DPDP Act and the repercussions of non-compliance.

Looking for expert advice from top consultants?

Whether you need guidance on legal compliance consulting or tool-based technical solutions, DPDP Consultants can help you with the best professional services in the industry. Get tailored insights and practical solutions to help you succeed.

For News updates, expert insights, and practical tips on DPDP compliance and personal data security please subscribe to our newsletter Privacy Talks.