Your personal data leaked online? Bank details exposed? Aadhaar data found on unprotected server?

Data breaches are rising in India – affecting millions annually. From small startups to major corporations, no one is immune.

Under the Digital Personal Data Protection Act, 2023, you have rights and companies have obligations. Let's understand everything about data breaches and your legal protection.

What is a Data Breach?

Data breach = Unauthorized access, acquisition, disclosure, or loss of personal data

Types:

1. Hacking:

• Cyber attackers break into systems

• Steal database containing personal information

• Most common type

2. Insider Threat:

• Employee steals data

• Malicious or negligent

• Sells to third parties

3. Lost/Stolen Devices:

• Laptop, hard drive, USB containing data

• Physical theft

4. Poor Security:

• Unprotected databases

• Weak passwords

• No encryption

5. Social Engineering:

• Phishing attacks

• Tricking employees into revealing data

6. Third-Party Breach:

• Vendor/partner's system compromised

• Your data stored there affected

Major Data Breaches in India (Recent):

Examples:

• 2024: E-commerce platform - 10 million user records leaked

• 2023: Healthcare app - Patient data including medical records exposed

• 2023: Food delivery app - Customer addresses and phone numbers leaked

• 2022: Telecom company - Call records and personal details

• 2021: Multiple COVID-19 vaccine databases - Names, Aadhaar numbers accessible

Reality: Your data has likely been in multiple breaches (check haveibeenpwned.com)

Legal Framework for Data Breaches:

1. Digital Personal Data Protection Act (DPDP Act), 2023:

Came into effect: Progressively being implemented (rules being notified)

Key provisions:

Company obligations:

• Must protect data with reasonable security

• Must report breaches to Data Protection Board

• Must notify affected individuals

• Failure = Heavy penalties

Your rights:

• Right to be informed of breach

• Right to access what data was leaked

• Right to complain to Data Protection Board

• Right to compensation

2. Information Technology Act, 2000:

Section 43: Computer-related offenses

• Unauthorized access to computer system

• Downloading/extracting data

• Compensation up to ₹5 crore

Section 43A: Body corporate's liability

• Must implement reasonable security practices

• Failure causing wrongful loss = Liable for compensation

Section 66: Hacking

• Punishment: 3 years jail + fine up to ₹5 lakh

Section 72: Breach of confidentiality/privacy

• Punishment: 2 years jail + ₹1 lakh fine

3. Indian Penal Code/BNS:

Section 66C IT Act: Identity theft (3 years jail)

Section 66D IT Act: Cheating using stolen data (3 years jail)

Fraud using leaked data: Relevant BNS sections apply

What Data is Considered "Personal"?

Under DPDP Act:

Personal data includes:

• Name, age, gender

• Contact details (phone, email, address)

• ID numbers (Aadhaar, PAN, passport, DL)

• Financial information (bank account, credit card)

• Biometric data (fingerprints, iris)

• Health records

• Location data

• Online identifiers (IP address, cookies)

• Photos, videos of you

• Any data that can identify you

Sensitive personal data (higher protection):

• Financial information

• Health records

• Biometric data

• Sexual orientation

• Passwords

• Official identifiers (Aadhaar, PAN)

Company Obligations When Breach Occurs:

Under DPDP Act & IT Act:

1. Detect and contain:

• Identify breach quickly

• Stop further data leak

• Secure systems

2. Assess impact:

• What data was compromised?

• How many individuals affected?

• What harm can result?

3. Report to Data Protection Board:

• Within 72 hours of becoming aware (as per draft rules)

• Details of breach

• Data affected

• Steps taken

Failure to report: Penalty up to ₹250 crore

4. Notify affected individuals:

• Promptly inform all affected people

• Via email, SMS, or other direct method

• Explain:

  • What happened

  • What data was compromised

  • Potential risks

  • Steps being taken

  • What individuals should do (change passwords, monitor accounts)

If high-risk breach: Public notification may be required

5. Take remedial measures:

• Fix vulnerability

• Implement better security

• Offer credit monitoring (if financial data leaked)

• Password reset for all users

6. Cooperate with investigation:

• Provide information to regulators

• Allow audits

• Maintain records

Your Rights as Affected Individual:

1. Right to be Notified:

• Company must inform you if your data breached

• Details of what data, what risks

Can't hide the breach from you!

2. Right to Know:

• What specific data of yours was leaked

• When breach occurred

• How it happened

• What steps company is taking

Request in writing if not provided

3. Right to Access:

• Copy of your data held by company

• Understand what they have on you

4. Right to Correction/Erasure:

• If incorrect data, demand correction

• Request deletion if no longer needed

5. Right to Complain:

• File complaint with Data Protection Board

• Against company for negligence

• For not notifying you

6. Right to Compensation:

• If you suffered loss due to breach

• Financial loss, identity theft, mental agony

• From company (directly or via court/Board)

What to Do If You're Affected by Data Breach:

Immediate Actions (First 24 Hours):

Step 1: Verify the Breach:

• Confirm notification is genuine (not phishing scam)

• Check company's official website/social media

• Visit: haveibeenpwned.com (enter your email to check past breaches)

Step 2: Change Passwords Immediately:

• For the affected service

• For any other accounts using SAME password

• Use strong, unique passwords (password manager recommended)

• Enable two-factor authentication (2FA) everywhere

Password checklist: ✓ At least 12 characters✓ Mix of uppercase, lowercase, numbers, symbols✓ Not dictionary words✓ Different password for each account✓ Use password manager (Bitwarden, 1Password, LastPass)

Step 3: Monitor Financial Accounts:

If bank/card details leaked:

• Check bank statements daily for suspicious transactions

• Monitor credit card bills

• Set up transaction alerts (SMS for every transaction)

• Consider blocking and getting new card

Notify your bank:

• Inform about breach

• Request enhanced monitoring

• Block old card, issue new one

Step 4: Check Credit Report:

Get free credit report:

• CIBIL, Experian, Equifax

• Check for unauthorized loan applications

• Look for accounts you didn't open

Set up credit monitoring alerts

If suspicious activity: File dispute immediately

Step 5: Enable Fraud Alerts:

• With banks

• With credit bureaus

• With relevant services

Step 6: Document Everything:

✓ Breach notification received (screenshot/save email)✓ Date and time you learned of breach✓ What data was compromised (as per notification)✓ Actions you took✓ Any financial loss incurred✓ Time spent dealing with breach✓ Communication with company

This becomes evidence for compensation claim

Short-term Actions (First Week):

Step 7: Review Account Activity:

• Check all your online accounts

• Look for unauthorized access

• Review privacy settings

• Update recovery email/phone

Step 8: Beware of Phishing:

After breach, expect scams:

• Fraudsters will use leaked data to target you

• Phishing emails pretending to be from company

• Calls demanding "verification" of details

Red flags: 🚩 Urgent action required🚩 Asking for password/OTP🚩 Suspicious links🚩 Too good to be true offers

Don't click links in unsolicited emails!

Step 9: Report Identity Theft (If Occurred):

If someone misused your data:

• File FIR at police station

• Complaint on cybercrime.gov.in

• Inform banks/financial institutions

• Notify credit bureaus

Step 10: File Complaint with Company:

Formal written complaint:

To,
[Company Name]
[Grievance Officer]
[Address]

Date: [Date]

Subject: Complaint regarding data breach - Customer ID [Your ID]

Dear Sir/Madam,

I am your customer with [Account/User ID: XXX]. I was affected by the data breach disclosed on [Date].

As per your notification, my [type of data] was compromised. This has caused me:
1. [Financial loss/Mental agony/Time spent - describe]
2. [Any fraud attempts on my accounts]
3. [Other impacts]

I request you to:
1. Provide detailed information about what exact data of mine was leaked
2. Explain how this breach occurred and what security failures led to it
3. Confirm what remedial measures you have taken
4. Compensate me for losses suffered (amount: ₹XXX with justification)

As per DPDP Act and IT Act, you are liable for this breach due to inadequate security measures.

If not addressed within 15 days, I shall file complaint with Data Protection Board and take legal action.

Evidence of loss enclosed.

Yours sincerely,
[Your Name]
[Contact Details]

Long-term Actions:

Step 11: File Complaint with Data Protection Board:

If company doesn't respond satisfactorily:

When Board is established (being set up):

• Online complaint portal (to be announced)

• Details of breach

• Company's failure to protect data

• Your losses

• Request compensation

Currently (during transition):

• CERT-In (Indian Computer Emergency Response Team): cert-in.org.in

• Email: incident@cert-in.org.in

• Ministry of Electronics & IT: meity.gov.in

Step 12: Legal Action:

Options:

A) Section 43A IT Act:

• File case for negligence

• Compensation up to ₹5 crore

• In District Court or Cyber Appellate Tribunal

B) Consumer Forum:

• Deficiency in service

• Not protecting your data = unfair trade practice

• Compensation for loss + harassment

C) Civil Suit:

• For damages (tort of negligence)

• Breach of contract (if terms promised data protection)

Lawyer fees: ₹25,000-₹2,00,000+ depending on claim

Success stories: Many consumers have won compensation (₹50,000-₹5 lakh in reported cases)

Step 13: Preventive Measures (Going Forward):

✓ Minimize data sharing - Give only essential information

✓ Read privacy policies - Understand how data is used

✓ Use disposable emails - For non-critical signups

✓ Virtual cards - For online payments (some banks offer)

✓ VPN - Encrypt internet traffic

✓ Antivirus/security software - Keep updated

✓ Regular monitoring - Check accounts periodically

✓ Data minimization - Delete old accounts you don't use

✓ Right to erasure - Request companies to delete your data if not needed

Claiming Compensation:

What you can claim:

1. Financial losses:

• Money stolen from account

• Fraudulent transactions

• Cost of credit monitoring service

• Cost of getting new cards/documents

2. Time and effort:

• Time spent dealing with breach

• Multiple calls, emails, visits

• Documentation, complaint filing

3. Mental agony:

• Stress, anxiety, sleepless nights

• Loss of privacy

• Fear of identity theft

4. Future risks:

• Increased vulnerability

• Potential for future fraud

Typical compensation (based on past IT Act cases):

• Minor breach, no loss: ₹25,000-₹50,000 (for harassment)

• Financial loss: Actual loss + ₹50,000-₹2 lakh

• Severe breach with identity theft: ₹2-10 lakh+

Under DPDP Act: Potential for higher compensation (provisions being finalized)

Company Penalties:

Under DPDP Act:

Data Protection Board can impose penalties:

• Up to ₹250 crore per violation

• For not implementing security safeguards

• For not reporting breach

• For not notifying individuals

Also: Criminal prosecution under IT Act (jail up to 3 years for hacking)

Specific Breach Scenarios:

A) Aadhaar Data Leaked:

What to do:

• Lock Aadhaar biometrics (uidai.gov.in)

• File complaint with UIDAI

• Monitor authentication history

• Report to police if misused

Can't change Aadhaar number, so vigilance crucial

B) PAN Data Leaked:

Actions:

• Can't change PAN

• Monitor income tax portal for unauthorized access

• Check CIBIL for fake loan applications

• Inform Income Tax Department

C) Banking/Card Details Leaked:

Immediate:

• Block card

• Change net banking password

• Enable transaction alerts

• Monitor statements

Banks usually cover:

• Zero liability for fraudulent transactions (if reported promptly)

• RBI guidelines protect customers

D) Medical Records Leaked:

Sensitive data!

Actions:

• Complaint to hospital/clinic

• Privacy violation under DPDP Act

• Can cause discrimination (insurance, employment)

• Legal action for damages

E) Login Credentials Leaked:

If username/password database breached:

• Change password immediately

• If reused elsewhere, change those too

• Check activity logs

• Enable 2FA

Prevention Tips (For Future):

✓ Different passwords for each account (password manager!)✓ 2FA everywhere - Authenticator apps preferred over SMS✓ Regular monitoring - Check haveibeenpwned.com quarterly✓ Privacy settings - Review on all platforms✓ Limit data sharing - Don't overshare on social media✓ Read privacy policies - Understand what data is collected✓ Opt out - Of data sharing where possible✓ Secure home network - Strong WiFi password, updated router firmware✓ Software updates - Keep all devices updated✓ Backup - Regular backups of important data✓ Encryption - For sensitive files

How to Check If You're Affected:

Tools:

1. Have I Been Pwned (haveibeenpwned.com):

• Free service by security researcher Troy Hunt

• Enter your email

• Shows all known breaches your email was in

• Over 12 billion accounts tracked

2. Firefox Monitor (monitor.firefox.com):

• Similar service

• Email alerts for new breaches

3. Google Password Checkup:

• Checks if your saved passwords were in breaches

4. Credit Monitoring Services:

• CIBIL, Experian alerts

Red Flags - Company Not Taking Breach Seriously:

🚩 Delayed notification (more than a week after breach)🚩 Vague information ("some data may have been compromised")🚩 Downplaying severity🚩 Not offering remedial measures (password reset, credit monitoring)🚩 Blaming users🚩 No clear plan to prevent future breaches🚩 Ignoring your complaint

If these red flags: File complaint with regulators immediately

Future of Data Breach Laws in India:

DPDP Act implementation:

• Data Protection Board being set up

• Rules being finalized

• Stricter enforcement expected

• Companies will face heavy penalties

Better for consumers:

• Clear rights

• Easier complaint process

• Mandatory breach notification

• Higher compensation

Global standards:

• Similar to EU's GDPR

• Bringing India's data protection to international levels

Real Cases:

Case 1: 2023, E-commerce company data breach. Customer's credit card details used for fraudulent transactions (₹45,000). Customer filed complaint, company initially denied. Filed IT Act case. Company settled, refunded ₹45,000 + ₹1 lakh compensation.

Case 2: Healthcare app leaked patient data including HIV status. Patient faced discrimination. Filed case under IT Act + defamation. Court awarded ₹5 lakh compensation for privacy violation and mental agony.

Case 3: 2022, Customer data sold by company employee to competitor. Affected customer received spam calls. Filed Consumer Forum complaint. Forum ordered ₹50,000 compensation for deficiency in service (not protecting data).

Conclusion:

Data breaches are unfortunately common, but you're not powerless. With DPDP Act, your rights are stronger than ever.

Key steps:

• Act immediately when breach occurs

• Change passwords, monitor accounts

• Document everything

• File complaints if company negligent

• Claim compensation for losses

Your data, your rights. Companies must protect it or pay the price!

Affected by data breach? Follow these steps and protect yourself!