In recent years, major data breaches in India have exposed personal information, including confidential and financial information of millions of its citizens. This underlined the urgent need for better data protection laws and stronger cybersecurity measures. Given below are some of the more serious data privacy breaches that have occurred in India.
The Legal School in collaboration with Indus Law has launched the Advanced Certification Program in Data Protection & Privacy Laws designed for legal and compliance professionals seeking in-depth knowledge of GDPR, DPDP Act, cybersecurity, and cross-border data transfers. Gain expertise in data governance, risk management and regulatory frameworks, with a focus on BFSI, healthcare, e-commerce, and tech industries. Learn to conduct privacy risk assessments, draft legal documents, and ensure vendor compliance. Whether you’re looking to upskill or switch to data privacy and cybersecurity compliance, this program prepares you for success in one of the fastest-growing legal fields. Enroll today!
1. K.S. Puttaswamy v. Union of India (2018) Aadhaar Data Breach
The Aadhaar, India's unique identification, has witnessed several security breaches. In 2018, it was reported by The Tribune that access to Aadhaar details consisting of names, addresses, phone numbers, and Aadhaar number, was available for Rs 500 on the dark web.
What Happened?
Some unauthorized people accessed the Aadhaar database in an unauthorized way using a government portal.
They hacked into the vulnerabilities of the system, which enabled them to extract and download private information of Aadhaar cardholders.
The data breach was so critical that even the biometric data got compromised, increasing risks of identity theft.
Effects:
1.1 billion Indians had their personal data leaked.
The hacking created an issue regarding national security issues and violations of privacy.
UIDAI claimed no breach occurred, but still followed up with enhanced security features like virtual IDs.
Also, Find out What is the Impact of Data Breaches on Consumer Trust
2. Pegasus Spyware Scandal (2021)
The Pegasus spyware scandal made headlines in 2021 for reports of Indian government officials alleged to have deployed Israeli spyware on journalists, activists, and politicians.
What Occurred?
Pegasus spyware is one developed by Israel's NSO Group as military-grade spyware used for phone hacking.
Through this spyware, one would be able to read messages and record calls besides gaining remote control over cameras and microphones installed on phones.
Targets were prominent political figures, lawyers, and human rights workers.
Effects:
It created a new debate on digital privacy and unauthorised surveillance .
The apex court of India asked for an independent probe into the case.
The controversy widely voiced global concern over the misuse of spyware against civilians.
Also, Get to Know How To Safeguard Customer Data Privacy
3. Star Health Insurance Data Leak (2024)
At the beginning of 2024, hackers leaked customer data from Star Health, an Indian leading health insurance company.
What Happened?
Attackers used Telegram chatbots to share policyholder data consisting of medical history, contact details and financial information.
Reports suggested that insiders too could have been stakeholders in the hack.
Data was being auctioned in black market websites.
Impact
Million customers were at the risk of fraud and their identity fraud.
This breach exposed loopholes in India's health data security infrastructure.
Star Health filed a case against Telegram and enhanced its security.
Learn the Basic Differences between Data Breach vs Privacy Breach
4. Policybazaar Data Breach (2022)
The online insurance aggregator, Policybazaar, suffered a data breach in July 2022, exposing sensitive personal details of its customers.
What Happened?
A bug in Policybazaar's IT systems facilitated hacking into the site from the unauthorized side.
Customers' personal information, including email addresses, PAN numbers, and insurance details, were compromised.
Impact:
More than 50 million users have been affected.
The breach sounded warning alarms regarding the cybersecurity risks plaguing India's fintech sector.
Policybazaar informed the authorities and strengthened security measures.
5. Cambridge Analytica's India Connection
The data scandal that originated from Cambridge Analytica extended to India as well. The firm was accused of accessing Indian citizens' data on Facebook and altering the course of election campaigns.
What had Happened?
Cambridge Analytica harvested the data of the users on Facebook unilaterally.
Reports claimed that it collaborated with Indian political parties for more targeted election campaigns.
The exact claims suggested that this data was used to alter voter behavior.
Impact:
Data of millions of Indian users on Facebook was compromised.
The scandal had exposed the exploitation of digital platforms for political motives.
It led to scrutiny over data protection laws in India.
Regulatory Gaps of Data Privacy Laws in India
India did not have strong data privacy laws despite these events. In 2019, the Personal Data Protection (PDP) Bill was first put forward. The Personal Data Protection bill was first introduced in 2019 and calls for stricter rules on how to collect, process, and store data.
The Indian government, on August 11, 2023, released the Digital Personal Data Protection Act, 2023 (DPDP Act). This law will protect personal data and set rules for its use in India. A lot of rules have been put in place by the DPDP Act about how to collect, process, store, and send digital personal data. But the government needs to take more steps to make the DPDP Act work. These include publishing the parts of the DPDP Act that make it work, getting rid of the Privacy Rules, and publishing the rules and regulations that are needed to make the DPDP Act work. Only personal data that is stored digitally is covered by the DPDP Act.
Key Challenges:
Lacks Clear Regulations: Noting that India continues to operate under outdated IT laws unlike EU's General Data Protection Regulation (GDPR).
Weak Cyber Infrastructure: Most organizations do not invest in strong security systems, and hackers find it easy to penetrate.
Government Surveillance: Cases like Pegasus have revealed how state agencies misuse digital tools for mass surveillance.
Delayed Data Protection Bill: Without proper laws, companies and individuals are still vulnerable to data breaches.
Get to Know the Balance Between Data Privacy & National Security
Summing Up
Indian needs to quickly make its data protection laws stricter and its security better to stop hacker attacks. There are more and more of these hacking incidents. Places of business need better security systems to keep people safe. The personal information of Indian citizens is still at risk until laws are made that are like GDPR. You can't just choose not to protect data anymore; you have to. It needs to be fixed right away.
Related Posts
FAQs on Data Privacy Breaches in India
Q1. How did the breach of Aadhaar take place?
Unwarranted access enabled people to get personal details of aadhaar holders, exposing sensitive data to more than 1.1 billion Indians.
Q2. How did the Pegasus spyware scandal affect India?
With the use of Pegasus, journalists, activists, and politicians were targeted and illegally had access to their mobile devices.
Q3. How does one protect his personal data?
Use sufficiently long passwords that combine letters, numbers, and special characters; enabling two-factor authentication; never sending sensitive information on unsecured platforms; and spreading awareness on data privacy.
Q4. What were the hackers' methods of leaking customer data at Star Health?
The attackers used a Telegram bot to share details about the policyholders. These have sent jitters among India about the safety of health records.
Q5. Does this mean that India is taking steps toward protecting data?
India introduces the Digital Personal Data Protection Bill but its implementation has been delayed. Data protection is governed under outdated IT laws as of now.
