Data Breach Incidents in India since DPDPA 2023

Posted on August 25, 2025 by Vijayashankar Na

After 11th August 2023 when DPDPA 2023 became a law, there was an expectation that Data breach Incidents in India will come under some control and regulation. However, the delay in the notification of the rules has put the implementation of the data  protection and companies continue to enjoy the freedom to make illegal use of personal data and hackers also enjoy the lower vigilance of the data fiduciaries.

The Data Breach Notification obligation is  at present limited to the ITA 2008 requirements but since CERT In does not impose civil penalty for data breaches and the Adjudication system is not strong enough to take action,  data breaches continue to thrive.

As a part of our “Privacy Watch” initiative, we have tried to gather some Personal data breach incidents recorded since 11th August 2023 from out of published reports. The number of unreported incidents would of course be many more.

In due course we may take up detailed analysis of these incidents. In the meantime, those of you who are aware of any other incidents, may kindly report it here. 

1. Zoomcar Data Breach (June 2025)

  • When/Where: Detected June 9, 2025; Zoomcar, India’s leading car-sharing platform.

  • What Happened: Hackers breached servers, exposing personal data of 8.4 million users.

  • Data Compromised: Names, email addresses, phone numbers, trip history, partial payment info.

  • Impact: Users became vulnerable to phishing and identity theft; widespread media coverage; the event reignited debate about digital consumer protection.

  • Key Gaps: Weaknesses in server security and payment data segmentation.

2. Surya Shakti Infotech (Kolkata) Ransomware Attack (June 2025)

  • When/Where: June 19, 2025, Kolkata-based private IT services company.

  • What Happened: Ransomware crippled student admission systems of several top Kolkata colleges.

  • Data Compromised: Admission records, altered payment links, delayed 2025 college intakes for thousands.

  • Impact: Disrupted academic schedules for Scottish Church College, Surendranath College, and others; large-scale student inconvenience.

  • Key Gaps: Outdated software and insufficient ransomware defense.

3. Massive Credentials Compilation Leak (June 2025)

  • What Happened: Global “Compilation of Many Breaches” (COMB)-type event, with a huge chunk linked to Indian users.

  • Data Compromised: Several billion username-password pairs; included Indian bank, e-commerce, and government logins.

  • Impact: Vast potential for credential stuffing, account takeovers, and targeted fraud.

  • Key Gaps: Weak password practices, repeated use of credentials across sites.

4. Massive Cyberattack Campaign Post-Operation Sindoor (2025)

  • When/Where: 2025, after security incident in Pahalgam.

  • What Happened: Over 1.5 million cyberattacks targeting Indian government, BFSI (banking and financial services), healthcare, and critical infrastructure sites.

  • Data Compromised: Over 150 successful intrusions; some incidents involved data exfiltration and service disruption.

  • Impact: Raised national security concerns and highlighted critical vulnerabilities.

  • Key Gaps: Unpatched web servers, social engineering, DDoS and malware.

5. 16 Billion Passwords Exposed – Compilation Data Leak (June 2025)

  • When/Where: June 2025, worldwide, but affecting millions in India.

  • What Happened: One of the world’s largest dumps of login credentials appeared online, sourced from infostealer malware.

  • Data Compromised: Usernames, passwords, session tokens for sites like Facebook, Google, Apple, GitHub.

  • Impact: Possible account takeovers, bypassing of 2FA, potential for business email compromise.

  • Key Gaps: Infostealer infections on personal and enterprise devices, multi-use passwords

6 . ICMR COVID-19 Database Breach (2023)

  • When/Where: Disclosed June 2023. Indian Council of Medical Research, New Delhi.

  • What Happened: Massive cyberattack compromised sensitive data of about 815 million citizens from COVID-19 testing databases.

  • Data Compromised: Names, Aadhaar numbers, passport info, phone numbers, addresses, and COVID-19 test results.

  • Impact: Data sold on the dark web, highlighting critical weaknesses in India’s healthcare and government data security.

  • Key Gaps: Poor data encryption and weak access controls.

7. AIIMS Ransomware Attack (Late 2023)

  • When/Where: Late 2023, All India Institute of Medical Sciences, New Delhi.

  • What Happened: Major ransomware attack disrupted hospital operations for weeks.

  • Data Compromised: Over 40 million patient records—medical histories, contact and identification details.

  • Impact: Disrupted patient care and exposed severe healthcare cybersecurity lapses.

  • Key Gaps: Outdated infrastructure, lack of critical system segmentation.

8. Hathway ISP Data Breach (March 2024)

  • When/Where: March 2024, disclosed April 2024, Hathway ISP.

  • What Happened: Exploited CMS vulnerability to access and leak 41.5 million subscribers’ personal details.

  • Data Compromised: Names, emails, phone numbers, addresses, account credentials, and billing details.

  • Impact: Raised concerns about security practices across Indian ISPs.

  • Key Gaps: Weak web application security and CMS maintenance.

9. BSNL Data Breach (July 2024)

  • When/Where: July 2024, disclosed August 2024, Bharat Sanchar Nigam Limited (BSNL).

  • What Happened: Attackers accessed millions of subscriber records.

  • Data Compromised: IMSI, SIM details, server snapshots, account info, network data.

  • Impact: Risk of SIM swapping/phishing, put millions at risk.

  • Key Gaps: Endpoint protection, lack of effective incident response.

10. boAt Consumer Data Leak (Feb–Mar 2024)

  • When/Where: February/March 2024, boAt consumer electronics.

  • What Happened: Attackers breached the database, leaking 7.5 million customer records.

  • Data Compromised: Names, addresses, phone numbers, emails, purchase history.

  • Impact: Exposed users to potential scams and identity theft.

  • Key Gaps: Poor database encryption and real-time detection.

11. Telangana Police Hawk Eye App (June–July 2024)

  • When/Where: June 2024, disclosed July 2024, Telangana Police.

  • What Happened: App vulnerability led to theft of 200,000 users’ personal/incident details.

  • Data Compromised: Names, phone numbers, addresses, reports, complaints.

  • Impact: Privacy risk to citizens, led to swift law enforcement response.

  • Key Gaps: Inadequate mobile app security and API protection.

12. Indian Railways Data Breach (Late 2023)

  • When/Where: Late 2023.

  • What Happened: Cyberattack resulted in dark web sale of millions of passenger records.

  • Data Compromised: Travel details, phone numbers, emails.

  • Impact: Undermined trust in public sector digital safety.

  • Key Gaps: Outdated digital security for critical infrastructure.

13. HDFC Bank Data Leak (2023–2024)

  • When/Where: 2023–2024, HDFC Bank.

  • What Happened: Major breach exposed financial customers’ details online.

  • Data Compromised: Account numbers, credit card details, transactions.

  • Impact: Widespread risk of financial fraud and loss of confidence.

  • Key Gaps: Inadequate data access controls and threat monitoring.

14. EdTech Sector Breaches (2023–2024)

  • When/Where: 2023–2024, multiple major EdTech firms.

  • What Happened: Student records, email IDs, and payment info leaked via multiple attacks.

  • Impact: Exposed minors’ identities, spurred concern about sectoral safeguarding.

  • Key Gaps: Weak cybersecurity for rapidly expanding digital learning platforms.

15. MoChhatua App, Govt. of Odisha

  • When/Where: 2023–2024.

  • What Happened: Web application for ration distribution was breached, leaking users’ personal data.

  • Data Compromised: Usernames, emails, passwords.

  • Impact: Citizens’ privacy endangered, digital welfare services exposed as soft targets.

  • Key Gaps: Poor government platform hardening and user data protection.

16. Prudential Insurance Data Leak (2024)

  • What Happened: Hackers accessed insurance databases via third-party partner vulnerabilities.

  • Data Compromised: Names, policy numbers, contact info for over 36,000 customers.

  • Impact: Heightened concerns about third-party supplier risks in finance.

  • Key Gaps: Supply chain security and third-party vendor controls.

17. WazirX Crypto Exchange Breach (2024)

  • What Happened: Exchange targeted—hot wallets compromised, resulting in cryptocurrency thefts and user data leaks.

  • Data Compromised: Wallet addresses, transaction IDs, possible user ID info.

  • Impact: Over $230 million in assets affected, shaken confidence in Indian crypto sector.

  • Key Gaps: Crypto wallet security, two-factor authentication, incident response delays.

18. SPARSH Defence Pension Portal Breach (2024)

  • What Happened: Pension management platform for defense personnel compromised.

  • Data Compromised: Usernames, pension numbers, and other PII.

  • Impact: Potential targeting of veterans/defense staff for phishing and fraud.

  • Key Gaps: Government portal security, server vulnerability management.

19. Energy Sector Espionage (2024)

  • What Happened: Energy firms and critical infrastructure providers faced sophisticated attacks aiming to siphon confidential and infrastructural data.

  • Data Compromised: Network layouts, personnel data, and operational documents.

  • Impact: Strategic threat to India’s energy grid and resilience.

  • Key Gaps: Critical infrastructure protection, advanced threat detection capabilities.

20. Department of Defence Production Phishing Attack (2024)

  • What Happened: Large-scale phishing campaign targeted top officials and contractors.

  • Data Compromised: Emails, attachments, and potential login credentials—scope unrevealed for national security.

  • Impact: May have led to leaks of sensitive national security information.

  • Key Gaps: Email security, phishing awareness among government staff.

Some of these cases will be analysed in detail during the C.DPO.DA. programs of FDPPI along with the compliance requirements.

We have already reported about the DeepSeek AI conversation where it indicated that data worth over Rs 27800 crores are being collected and sold to foreign interests for various reasons including election manipulations. We have also reported that DeepSeek does not fear the Indian legal system and can bribe its way through the regulators. This indicates that there are many other hidden data losses that are not reported in the above 25 incidents.

All this  reflects badly on the efficiency of our system since every day of delay in the implementation of DPDPA is another day of freedom.

Naavi

Also  Refer: List of recent data breaches in 2025: brightsensedefense.com

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.