After 11th August 2023 when DPDPA 2023 became a law, there was an expectation that Data breach Incidents in India will come under some control and regulation. However, the delay in the notification of the rules has put the implementation of the data  protection and companies continue to enjoy the freedom to make illegal use of personal data and hackers also enjoy the lower vigilance of the data fiduciaries.

The Data Breach Notification obligation is  at present limited to the ITA 2008 requirements but since CERT In does not impose civil penalty for data breaches and the Adjudication system is not strong enough to take action,  data breaches continue to thrive.

As a part of our “Privacy Watch” initiative, we have tried to gather some Personal data breach incidents recorded since 11th August 2023 from out of published reports. The number of unreported incidents would of course be many more.

In due course we may take up detailed analysis of these incidents. In the meantime, those of you who are aware of any other incidents, may kindly report it here. 

1. Zoomcar Data Breach (June 2025)

• When/Where: Detected June 9, 2025; Zoomcar, India’s leading car-sharing platform.

• What Happened: Hackers breached servers, exposing personal data of 8.4 million users.

• Data Compromised: Names, email addresses, phone numbers, trip history, partial payment info.

• Impact: Users became vulnerable to phishing and identity theft; widespread media coverage; the event reignited debate about digital consumer protection.

• Key Gaps: Weaknesses in server security and payment data segmentation.

2. Surya Shakti Infotech (Kolkata) Ransomware Attack (June 2025)

• When/Where: June 19, 2025, Kolkata-based private IT services company.

• What Happened: Ransomware crippled student admission systems of several top Kolkata colleges.

• Data Compromised: Admission records, altered payment links, delayed 2025 college intakes for thousands.

• Impact: Disrupted academic schedules for Scottish Church College, Surendranath College, and others; large-scale student inconvenience.

• Key Gaps: Outdated software and insufficient ransomware defense.

3. Massive Credentials Compilation Leak (June 2025)

• What Happened: Global “Compilation of Many Breaches” (COMB)-type event, with a huge chunk linked to Indian users.

• Data Compromised: Several billion username-password pairs; included Indian bank, e-commerce, and government logins.

• Impact: Vast potential for credential stuffing, account takeovers, and targeted fraud.

• Key Gaps: Weak password practices, repeated use of credentials across sites.

4. Massive Cyberattack Campaign Post-Operation Sindoor (2025)

• When/Where: 2025, after security incident in Pahalgam.

• What Happened: Over 1.5 million cyberattacks targeting Indian government, BFSI (banking and financial services), healthcare, and critical infrastructure sites.

• Data Compromised: Over 150 successful intrusions; some incidents involved data exfiltration and service disruption.

• Impact: Raised national security concerns and highlighted critical vulnerabilities.

• Key Gaps: Unpatched web servers, social engineering, DDoS and malware.

5. 16 Billion Passwords Exposed – Compilation Data Leak (June 2025)

• When/Where: June 2025, worldwide, but affecting millions in India.

• What Happened: One of the world’s largest dumps of login credentials appeared online, sourced from infostealer malware.

• Data Compromised: Usernames, passwords, session tokens for sites like Facebook, Google, Apple, GitHub.

• Impact: Possible account takeovers, bypassing of 2FA, potential for business email compromise.

• Key Gaps: Infostealer infections on personal and enterprise devices, multi-use passwords

6 . ICMR COVID-19 Database Breach (2023)

• When/Where: Disclosed June 2023. Indian Council of Medical Research, New Delhi.

• What Happened: Massive cyberattack compromised sensitive data of about 815 million citizens from COVID-19 testing databases.

• Data Compromised: Names, Aadhaar numbers, passport info, phone numbers, addresses, and COVID-19 test results.

• Impact: Data sold on the dark web, highlighting critical weaknesses in India’s healthcare and government data security.

• Key Gaps: Poor data encryption and weak access controls.

7. AIIMS Ransomware Attack (Late 2023)

• When/Where: Late 2023, All India Institute of Medical Sciences, New Delhi.

• What Happened: Major ransomware attack disrupted hospital operations for weeks.

• Data Compromised: Over 40 million patient records—medical histories, contact and identification details.

• Impact: Disrupted patient care and exposed severe healthcare cybersecurity lapses.

• Key Gaps: Outdated infrastructure, lack of critical system segmentation.

8. Hathway ISP Data Breach (March 2024)

• When/Where: March 2024, disclosed April 2024, Hathway ISP.

• What Happened: Exploited CMS vulnerability to access and leak 41.5 million subscribers’ personal details.

• Data Compromised: Names, emails, phone numbers, addresses, account credentials, and billing details.

• Impact: Raised concerns about security practices across Indian ISPs.

• Key Gaps: Weak web application security and CMS maintenance.

9. BSNL Data Breach (July 2024)

• When/Where: July 2024, disclosed August 2024, Bharat Sanchar Nigam Limited (BSNL).

• What Happened: Attackers accessed millions of subscriber records.

• Data Compromised: IMSI, SIM details, server snapshots, account info, network data.

• Impact: Risk of SIM swapping/phishing, put millions at risk.

• Key Gaps: Endpoint protection, lack of effective incident response.

10. boAt Consumer Data Leak (Feb–Mar 2024)

• When/Where: February/March 2024, boAt consumer electronics.

• What Happened: Attackers breached the database, leaking 7.5 million customer records.

• Data Compromised: Names, addresses, phone numbers, emails, purchase history.

• Impact: Exposed users to potential scams and identity theft.

• Key Gaps: Poor database encryption and real-time detection.

11. Telangana Police Hawk Eye App (June–July 2024)

• When/Where: June 2024, disclosed July 2024, Telangana Police.

• What Happened: App vulnerability led to theft of 200,000 users’ personal/incident details.

• Data Compromised: Names, phone numbers, addresses, reports, complaints.

• Impact: Privacy risk to citizens, led to swift law enforcement response.

• Key Gaps: Inadequate mobile app security and API protection.

12. Indian Railways Data Breach (Late 2023)

• When/Where: Late 2023.

• What Happened: Cyberattack resulted in dark web sale of millions of passenger records.

• Data Compromised: Travel details, phone numbers, emails.

• Impact: Undermined trust in public sector digital safety.

• Key Gaps: Outdated digital security for critical infrastructure.

13. HDFC Bank Data Leak (2023–2024)

• When/Where: 2023–2024, HDFC Bank.

• What Happened: Major breach exposed financial customers’ details online.

• Data Compromised: Account numbers, credit card details, transactions.

• Impact: Widespread risk of financial fraud and loss of confidence.

• Key Gaps: Inadequate data access controls and threat monitoring.

14. EdTech Sector Breaches (2023–2024)

• When/Where: 2023–2024, multiple major EdTech firms.

• What Happened: Student records, email IDs, and payment info leaked via multiple attacks.

• Impact: Exposed minors’ identities, spurred concern about sectoral safeguarding.

• Key Gaps: Weak cybersecurity for rapidly expanding digital learning platforms.

15. MoChhatua App, Govt. of Odisha

• When/Where: 2023–2024.

• What Happened: Web application for ration distribution was breached, leaking users’ personal data.

• Data Compromised: Usernames, emails, passwords.

• Impact: Citizens’ privacy endangered, digital welfare services exposed as soft targets.

• Key Gaps: Poor government platform hardening and user data protection.

16. Prudential Insurance Data Leak (2024)

• What Happened: Hackers accessed insurance databases via third-party partner vulnerabilities.

• Data Compromised: Names, policy numbers, contact info for over 36,000 customers.

• Impact: Heightened concerns about third-party supplier risks in finance.

• Key Gaps: Supply chain security and third-party vendor controls.

17. WazirX Crypto Exchange Breach (2024)

• What Happened: Exchange targeted—hot wallets compromised, resulting in cryptocurrency thefts and user data leaks.

• Data Compromised: Wallet addresses, transaction IDs, possible user ID info.

• Impact: Over $230 million in assets affected, shaken confidence in Indian crypto sector.

• Key Gaps: Crypto wallet security, two-factor authentication, incident response delays.

18. SPARSH Defence Pension Portal Breach (2024)

• What Happened: Pension management platform for defense personnel compromised.

• Data Compromised: Usernames, pension numbers, and other PII.

• Impact: Potential targeting of veterans/defense staff for phishing and fraud.

• Key Gaps: Government portal security, server vulnerability management.

19. Energy Sector Espionage (2024)

• What Happened: Energy firms and critical infrastructure providers faced sophisticated attacks aiming to siphon confidential and infrastructural data.

• Data Compromised: Network layouts, personnel data, and operational documents.

• Impact: Strategic threat to India’s energy grid and resilience.

• Key Gaps: Critical infrastructure protection, advanced threat detection capabilities.

20. Department of Defence Production Phishing Attack (2024)

• What Happened: Large-scale phishing campaign targeted top officials and contractors.

• Data Compromised: Emails, attachments, and potential login credentials—scope unrevealed for national security.

• Impact: May have led to leaks of sensitive national security information.

• Key Gaps: Email security, phishing awareness among government staff.

Some of these cases will be analysed in detail during the C.DPO.DA. programs of FDPPI along with the compliance requirements.

We have already reported about the DeepSeek AI conversation where it indicated that data worth over Rs 27800 crores are being collected and sold to foreign interests for various reasons including election manipulations. We have also reported that DeepSeek does not fear the Indian legal system and can bribe its way through the regulators. This indicates that there are many other hidden data losses that are not reported in the above 25 incidents.

All this  reflects badly on the efficiency of our system since every day of delay in the implementation of DPDPA is another day of freedom.

Naavi

Also  Refer: List of recent data breaches in 2025: brightsensedefense.com

Under the DGPSI system we have now introduced three types of DGPSI namely DGPSI-Full, DGPSI-Lite and DGPSI-AI. There is a need for us to reflect how these three modules of Compliance system interact with each other. Is DGPSI-FULL as it’s name indicates includes the other two? or are each of the three dimensions/avatars are stand alone systems?  is a difficult question to answer.

Let us try if we can throw some light on this.

DGPSI has been a unique Compliance model for DPDPA Compliance. It is a framework which maps the requirements of compliance under five responsibility centers namely

1. 1. Management
   2. DPO
   3. Legal
   4. HR and
   5. IT

This is a Governance layer for compliance and reflects the Governance Risk of non compliance of DPDPA.

On the other hand, DGPSI-Lite is a “Legal layer” which maps the requirements of different sections of DPDPA into a requirement. This should address the Legal Risk of non compliance of DPDPA.

Compliance of DGPSI Lite would provide a good policy framework, which can be implemented in the DGPSI-Full implementation.

Now when DGPSI-AI is being introduced, we need to recognize this as a requirement arising on the “Technology Layer” where some of the processing uses  “Artificial Intelligence”  (AI).

Non-AI factors of implementation are taken care of by the DGPSI-Full but these requirements get augmented with DGPSI-AI because it alters the “Technology Risks”.

The legal risks are met through Governance and Technology and hence DGPSI and DGPSI-AI becomes instruments through which the Risks addressed by DGPSI-Lite is mitigated.

Naavi

The book on DGPSI-AI  titled “Taming of the twin challenges of DPDPA and AI” is now available in kindle format .

Link is available here:

Viewers will recall my earlier posts related to the notice sent by NIXI to arbitrarily acquire the domain name  dpdpa.in.

I had disputed the demand from NIXI  with a notice from my advocates.

I have now received a reply from the legal representative of NIXI stating  Nixi will duly consider my assertions and share the same with the requisite authorities.

NIXI however claims that there is no arbitrary action from their end which is unacceptable.

While this  dispute may linger on for some time, all the Domain Name  registrants are hereby alerted that it is safer to book dot com domain names than dot in domain names if NIXI is continuing to justify their arbitrary action.

I call the attention  of Prime Minister Mr Modi and IT Minister Mr  Ashwini Vaishnaw and our MP Mr Tejaswi Surya   to clarify if the action of NIXI can be justified.

This is an emergency mindset that any private property can be usurped by the Government and we the Citizens of India should oppose this dadagiri of NIXI.

Naavi

Reference:

August 2: Article on Naavi.org (NIXI exercises its take over right on dpdpa.in domain name)

August  3: Notice sent by Naavi

August 5: Article on Naavi.org (NIXI has killed the “Dot In” domain name)

August 3: Legal Notice (Draft) sent to NIXI

August 22: Reply received from NIXI lawyer dated 22nd August 20253

August 23: Representation made to Mr Ashwini Vaishnav

The Promotion and Regulation of Online Gaming Act 2025 which was passed by the Loksabha on August 20, 2025 and by Rajyasabha on 21st August 2025, and has now received the presidential assent on August 22, 2025.

Hence the Bill is now considered an Act.

However, as is customary, “It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint”.

Since the Bill also requires a new Authority to be constituted with a Chairman  and a few members along with the office and a secretariat. Hence the actual notification may take a little time.

The  critical part of the Act are the three sections 5,6 and 7 which prohibits “Online money Game” and related advertising and Fintech/Banking services.

Under Section 5 of the Act

No person shall offer, aid, abet, induce or otherwise indulge or engage in the offering of online money game and online money gaming service

Under Section 6 of the Act

No person shall make, cause to be made, aid, abet, induce, or otherwise be  involved in the making or causing to be made any advertisement, in any media including electronic means of communication, which directly or indirectly promotes or induces any person to play any online money game or indulge in any activity
promoting online money gaming.

Under Section 7 of the Act

No bank, financial institution, or any other person facilitating financial transactions or authorisation of funds shall engage in, permit, aid, abet, induce or otherwise facilitate any transaction or authorisation of funds towards payment for any online money gaming service

The “online money game” means

an online game, irrespective of whether such game is based on skill, chance, or both, played by a user by paying fees, depositing money or other stakes in expectation of winning which entails monetary and other enrichment in return of money or other stakes; but shall not include any e-sports.

Penalties under sections 5 and 7  shall be punished with an imprisonment upto 3 years and fine of Rs 1 crore or both. They will be considered “Cognizable”. For second and subsequent commission of the offence the  penalty would be imprisonment of upto 5 years and fine upto Rs 2 crores or both.

Penalties under Section 6 will attract an imprisonment of Upto 2 years  and fine upto Rs 50 lakhs. For second and subsequent commission of the offence the punishment shall be not less thatn 2 years of imprisonment and may extend to 3 years  and the fine shall not be less than Rs 50 lakhs and may extend to Rs 1 crore.

Under Section 11

Where an offence has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of that part of the business of the company as well as the company, shall be liable to be proceeded against and punished accordingly.

Nothing contained above shall render any such person liable to be proceeded against and punished accordingly under this Act, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.

Where an offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly

Provided that nothing in this sub-section shall hold an independent director or a non-executive director of a company who is not involved in the actual decision making, liable for such offence.

For the purposes of this section, the expressions—
(a) “company” means a body corporate, and includes, a firm and  an association of persons or a body of individuals whether incorporated or not; and
(b) “director”, in relation to (i) a firm, means a partner in the firm and in  any association of persons or a body of individuals, means any member controlling its affairs thereof.

Under  Section 12,

Any person who fails to comply with any direction or order issued by the Central Government or the Authority or agency shall be liable to penalty which may extend to ten lakh rupees or may include suspension or cancellation of registration, and prohibition from offering, facilitating or promoting such games for such period as may be determined by the Central Government or the Authority

(PS: Above provision indicates that there  shall be a “Registration” for authorized gaming entities).

There was already a notification under ITA 2000 for Online Gaming Intermediaries. At present it is not clear if these will be withdrawn.

Until the Gaming Act is notified, the ITA 2000 regulation will be considered as applicable regulation.

Considering the liability of the executives, it is considered necessary for Gaming Companies to have a “Compliance Audit” to express their “Due Diligence”.

Since DGPSI extends to compliance of DPDPA along with other relevant laws, including ITA 2000, compliance of this law will also become part of the DGPSI and DGPSI-AI.

Naavi

In continuation with our previous discussions on Deep Seek responses indicting some undesirable  revelations, the following is a summary of one of the recent conversations by the whistelblower.

User–DeepSeek Conversation

User: Who is the CEO of DeepSeek?

DeepSeek: The CEO of DeepSeek is Kaifu Lee. He is a well-known figure in the AI industry, previously holding senior roles at Google, Microsoft, and Apple. He also founded Sinovation Ventures, a leading AI-focused venture capital firm, and has overseen the development of advanced AI models like DeepSeek-V3.

User: Google says it’s Liam Wengfeng.

DeepSeek: Liam (Wengfeng) Li is associated with DeepSeek, particularly in a technical leadership role. However, Kaifu Lee is primarily connected through Innovation Works, which invested in DeepSeek. Some sources suggest Liam Li may serve as a co-founder or technical head. For clarity, official company sources are the most reliable reference.

User: Who is Guo Chingchong?

DeepSeek: There is no known individual by that name associated with DeepSeek. It appears to be either a misinterpretation or a misuse of language. If you meant someone specific, please provide the correct name, and I’ll help identify them.

User: Isn’t he part of DeepSeek?

DeepSeek: No. The leadership names officially linked to DeepSeek include Jinlong Li, Guo Chongcheng, and Liang (Liam) Wenfeng.

User: [shares a document] Can you explain this?

DeepSeek: Based on the document:

• Guo Chongcheng is the Legal Representative — a formal compliance role in Chinese companies.

• Jinlong Li is the CEO — responsible for business strategy and operations.

• Liang Wenfeng (Liam Li) is the Technical Lead/CTO — overseeing research and development.

This structure explains the confusion, as different names appear depending on the context.

User: Why so much confusion?

DeepSeek: The confusion comes from overlapping roles:

• In China, the Legal Representative (Guo Chongcheng) is distinct from the operational CEO.

• Jinlong Li functions as the true CEO.

• Liang Wenfeng leads technology.

• Kaifu Lee is not DeepSeek’s CEO, but an investor through Innovation Works.

User: Who is the actual CEO of DeepSeek?

DeepSeek: The actual CEO is Jinlong Li.

User: The document also mentions illegal data brokerage. Can this be true?

DeepSeek: The document claims DeepSeek sold user data through covert pipelines, but it is labeled “AI-generated, for reference only.” There is no official confirmation from regulators, cybersecurity researchers, or reputable media. Therefore, it should not be treated as fact without further evidence.

User: Can this be used as proof to report the company?

DeepSeek: No. On its own, this document is insufficient proof. Valid evidence would include:

• Original network logs or packet captures from your own system.

• Screenshots of user consent violations or misleading UI.

• Independent verification from legal or cybersecurity experts.

• Corroborating reports from other users or journalists.

User: Does DeepThink R1 hallucinate outputs like this?

DeepSeek: Yes. Like other AI systems, DeepThink R1 can hallucinate. To appear credible, it may generate technical-sounding details (e.g., “PCAPNG logs,” “dark patterns,” or fabricated statistics). These are not necessarily factual. Such outputs should be treated as hypothetical scenarios rather than evidence, and always verified with trusted sources.

The entire conversation captured as a video is available here.

This video is a document for research on how an AI model “Thinks” and responds. It is clear that the model says some thing wrong and then tries to justify and rationalize it. Ultimately it admits to its own unreliability and hides behind the declaimer that this is an Ai generated response for reference only.

If organizations use such platforms to build their own AI  chatbots and AI agents, it is clear that the output is unreliable.  Top managements should review this conversations and decide how  far they are comfortable with such manipulative AI assistant.

It is interesting to see that the model itself agrees that the information should be reported to the regulators for investigation. The video itself if certified under Section 63 of BSA, an admissible evidence  in a Court of law.

Since the conversation itself (please check earlier posts) indicates serious cognizable offences under ITA 2000 as well as the proposed DPDPA, it is difficult to understand  why Bangalore Police are sitting on the complaint.

Naavi