Data Breaches in India: A Timeline of Major Incidents

1.8 billion. That’s roughly how many personal records tied to Indian citizens showed up on dark web marketplaces, Telegram channels, and hacker forums between 2018 and early 2025, according to estimates compiled from CERT-In advisories, independent security researchers, and breach-tracking databases. The number is probably higher. Most breaches in India go unreported for months, sometimes years, and a good chunk never get disclosed at all.

What follows isn’t a neat corporate summary. It’s a messy, frustrating timeline of how companies and government agencies failed to protect the data they collected from hundreds of millions of people—and what patterns keep showing up.

2018: The Aadhaar Leak That Started It All

The story really begins in January 2018, when a report in The Tribune revealed that anonymous sellers on WhatsApp were offering access to the entire Aadhaar database for as little as Rs 500. For another Rs 300, they’d print out a fake Aadhaar card with any number you wanted.

The Unique Identification Authority of India (UIDAI) pushed back hard. They called the report irresponsible, filed an FIR against the journalist who broke the story, and insisted that biometric data hadn’t been compromised. But the damage was something you couldn’t wave away with a press release. Over 1.1 billion Aadhaar records—names, addresses, twelve-digit identity numbers, and in certain cases photographs and fingerprint data—had been sitting behind unprotected API endpoints used by various state government agencies.

Several security researchers had flagged these open endpoints months before the Tribune report. A French researcher named Baptiste Robert (known online as Elliot Alderson) publicly demonstrated how easy it was to pull Aadhaar data from poorly secured state websites. The Jharkhand government’s website, for instance, had been leaking Aadhaar numbers through its beneficiary lists. Nobody fixed the issue until it hit newspapers.

What made the Aadhaar leak different from every other breach on this list is scale and permanence. You can change your password. You can get a new credit card. You can’t change your biometric data. That fingerprint scan sitting in a compromised database will be tied to you for the rest of your life. UIDAI did introduce a Virtual ID system and allowed people to lock their biometrics after the incident, but adoption of these features has remained low—probably under 5% of Aadhaar holders, if we’re being generous.

2019: JustDial’s Unprotected API

In April 2019, independent security researcher Rajshekhar Rajaharia discovered that JustDial, one of India’s oldest local search services, had left an API endpoint completely open. No authentication required. Anyone who knew where to look—or stumbled onto it—could pull up the personal details of roughly 100 million users.

The exposed data included names, email addresses, phone numbers, gender, dates of birth, and physical addresses. Rajaharia contacted JustDial directly, then went public after receiving no response for days. The company eventually patched the API and claimed no data had been “misused,” which is one of those corporate non-statements that tells you nothing. The API had been open for what appeared to be years. Whether anyone scraped the data before Rajaharia found it is anyone’s guess.

JustDial’s breach highlighted a pattern that would repeat itself over and over in India: APIs deployed without basic access controls. No rate limiting, no authentication tokens, no monitoring for unusual access patterns. It’s the digital equivalent of leaving your front door wide open and then insisting nothing was stolen because you didn’t see anyone walk in.

2020: BigBasket and the Pandemic Surge

COVID-19 lockdowns in 2020 pushed millions of Indians onto online grocery platforms for the first time. BigBasket was one of the biggest beneficiaries of that shift—and in October 2020, the company suffered a breach that exposed the data of over 20 million customers.

The stolen database appeared on a well-known dark web marketplace in November 2020, priced at roughly $40,000. It contained email addresses, phone numbers, physical addresses, order histories, and SHA-1 hashed passwords. SHA-1 has been considered broken since at least 2017, which means those password hashes could be cracked in hours with commercially available hardware.

BigBasket didn’t acknowledge the breach until cybersecurity firm Cyble confirmed the data’s authenticity and published a report. The company then said it had filed a complaint with the Bangalore Cyber Crime Cell. What happened after that? Not much publicly. No fine, no regulatory action, no mandatory password resets for affected users—at least not immediately.

This breach also exposed something uncomfortable about India’s pandemic-era digital push: companies were scaling frantically to meet demand, and security was getting deprioritized. New features shipped fast. Infrastructure got patched together. User databases grew by millions of records per week. Security teams, if they existed at all, were stretched thin.

2021: Air India and Domino’s—A Double Hit

Air India (May 2021)

Air India disclosed in May 2021 that a breach at its passenger service system provider, SITA, had compromised the personal data of approximately 4.5 million passengers. The exposed records spanned nearly a full decade, from August 2011 to February 2021. Names, passport numbers, credit card details, frequent flyer data, dates of birth, and contact information—all of it was in the compromised dataset.

SITA, which provides IT infrastructure to roughly 90% of the world’s airlines, had been breached in February 2021. Air India didn’t notify affected passengers until May. That’s a three-month gap between the breach occurring and customers being told about it. During those three months, attackers had access to credit card numbers and passport details. People were flying internationally, making financial transactions, and had no idea their data was floating around in someone else’s hands.

The Air India case showed that breaches don’t always happen because of something the visible company did wrong. Third-party vendors and supply chain partners are often the weakest link. Air India could have had world-class security internally, and it wouldn’t have mattered—the breach happened upstream at SITA.

Domino’s India (April 2021)

A month before the Air India disclosure, data from Domino’s India (operated by Jubilant FoodWorks) appeared on the dark web. The breach affected roughly 18 crore (180 million) orders, with customer names, email addresses, phone numbers, delivery addresses, and payment details all included. Someone even built a searchable website where you could type in a phone number and see every Domino’s order associated with it—delivery address and all.

Think about what that means for a minute. Your home address, your office address, the frequency of your orders, your phone number—all searchable by anyone with a browser. The site was eventually taken down, but cached copies circulated on forums for weeks.

Jubilant FoodWorks said it had “experienced an information security incident” and was “investigating.” No Indian regulatory body imposed any penalty. The breach is barely mentioned in their subsequent annual reports.

2022: AIIMS, Railways, and PAN Card Leaks

AIIMS Ransomware Attack (November 2022)

The ransomware attack on the All India Institute of Medical Sciences (AIIMS) in New Delhi was different from the other entries on this list. It wasn’t just a data leak—it was a full shutdown. AIIMS’s servers went offline on November 23, 2022, crippling the hospital’s digital infrastructure for over two weeks.

Patient records, appointment systems, billing, laboratory reports—everything was inaccessible. Doctors resorted to writing prescriptions by hand. The hospital estimated that approximately 3 to 4 crore (30-40 million) patient records were affected, though the government never confirmed a precise number. Reports suggested the attackers demanded around Rs 200 crore in cryptocurrency as ransom.

The attack exposed just how vulnerable India’s public healthcare infrastructure is. AIIMS, one of the country’s most prestigious medical institutions, was running servers with outdated security patches and had limited network segmentation. If AIIMS was this exposed, what about smaller district hospitals and government clinics? Healthcare data is some of the most sensitive information that exists—medical histories, diagnoses, HIV status, mental health records—and much of India’s public health system stores it with minimal protection.

Indian Railways and PAN Card Data

Two other incidents in 2022 deserve mention. A database containing personal information of approximately 30 million Indian Railways users appeared on hacking forums, including names, email addresses, and phone numbers. Separately, a dataset allegedly containing PAN card details of millions of taxpayers surfaced on the dark web—names, PAN numbers, and fathers’ names included.

Neither incident resulted in a clear public accountability process. IRCTC said it was investigating. The Income Tax department didn’t comment on the PAN data leak. Both datasets were available for purchase at prices that would seem comically low if the consequences weren’t so serious—a few hundred dollars for millions of taxpayer records.

2023: CoWIN and the Telegram Bot Problem

In June 2023, reports emerged that personal data from the CoWIN portal—India’s COVID-19 vaccination registration platform—was being served through a Telegram bot. You could type in a phone number and get back the person’s name, Aadhaar number, passport number, gender, date of birth, and vaccination details.

The government’s initial response was denial. The IT Ministry called the reports “mischievous” and said CoWIN’s backend was secure. Within 24 hours, they reversed course and acknowledged that data had been accessed, though they characterized it as coming from a “previously stolen” dataset rather than a live breach of CoWIN’s systems. This distinction probably mattered very little to the people whose Aadhaar numbers were being returned by a Telegram bot.

CoWIN had collected data from over 100 crore (1 billion) vaccinated Indians. The scale of the potential exposure was staggering. Exactly how much data was compromised remains unclear—the government’s investigation results, if they exist, haven’t been made public. The Telegram bots were taken down, but the data was already out there.

2024-2025: Telecom Breaches and Star Health

BSNL (June 2024)

State-owned telecom operator BSNL suffered a breach that exposed SIM card data, server snapshots, and customer details of millions of subscribers. A threat actor using the handle “kiberphant0m” claimed to have exfiltrated over 278 GB of data from BSNL’s telecom operations, including IMSI numbers, SIM card details, HLR data, and server configuration files. The exposed IMSI and SIM data could theoretically be used for SIM cloning attacks—a particularly dangerous form of identity theft that lets attackers intercept your calls and text messages, including OTPs.

BSNL confirmed a “security incident” and said it was working with CERT-In. The company had already suffered a similar breach in 2023, which should tell you something about how seriously the remediation was taken the first time.

Star Health Insurance (October 2024)

The Star Health Insurance breach was one of the most disturbing incidents in this entire timeline. A threat actor leaked the medical records, policy details, and personal information of nearly 31 million customers through Telegram chatbots. The exposed data included health insurance claim details, medical diagnoses, lab reports, policy numbers, names, addresses, and phone numbers.

Medical data breaches are a different category of harm. If your email address leaks, you get spam. If your medical records leak, potential employers might see your health conditions. Insurance companies—ironically, in this case—might use the data to deny you coverage. Personal medical information can be used for blackmail, discrimination, and social stigma in ways that other types of data can’t.

Star Health initially denied the breach entirely, then sued Telegram (the platform) instead of addressing how 31 million customer records had been exfiltrated in the first place. The company’s Chief Information Security Officer was reportedly named by the threat actor as having been involved in the data sale, an allegation Star Health denied. As of early 2025, investigations were still ongoing.

The Patterns That Keep Repeating

After going through eight years of breaches, certain patterns are hard to ignore.

Unprotected APIs sit at the root of many incidents. Aadhaar, JustDial, CoWIN—these weren’t breaches that required sophisticated hacking. The data was, in some cases, openly accessible to anyone who knew the right URL. Basic API security—authentication, rate limiting, access logging—would have prevented them.

Disclosure timelines are terrible. Air India took three months to tell passengers. BigBasket didn’t acknowledge the breach until a third-party firm published a report. The government denied the CoWIN leak before admitting it a day later. Indian organizations seem to treat breach disclosure as a PR problem to be managed rather than a legal and ethical obligation.

Penalties have been practically nonexistent. Before the DPDP Act came along in 2023, India had no dedicated data protection law with teeth. The old IT Act’s Section 43A allowed for compensation, but enforcement was rare. Companies could lose the data of 20 million people and face no meaningful consequence. This lack of accountability is probably the single biggest reason breaches keep happening—there’s no financial cost to bad security.

Third-party risk gets ignored. The Air India breach happened through SITA. Many other incidents trace back to vendors, contractors, and cloud misconfigurations by third parties. Indian companies often don’t audit their partners’ security practices at all.

Government databases are just as vulnerable as private ones. Aadhaar, CoWIN, AIIMS, Indian Railways—some of the largest breaches on this list involve government-run systems. Public sector IT security budgets tend to be small, staffing is limited, and the “it won’t happen to us” attitude runs deep.

CERT-In’s Reporting Requirements

In April 2022, CERT-In issued new directives requiring organizations to report cybersecurity incidents within six hours of detection. This was a significant tightening—most countries allow 72 hours. The directive also required organizations to maintain logs of all ICT systems for 180 days and synchronize their system clocks to the NTP server of the National Informatics Centre or the National Physical Laboratory.

On paper, these are strong requirements. In practice, compliance is spotty. Many organizations don’t have the monitoring infrastructure to even detect a breach within six hours, let alone report it. CERT-In has issued advisories and worked with affected organizations behind the scenes, but public enforcement actions remain scarce. The gap between what the rules say and what actually happens is wide enough to drive a truck through.

The Digital Personal Data Protection (DPDP) Act of 2023 adds another layer. It requires “data fiduciaries” to notify both CERT-In and affected individuals in the event of a breach, with penalties of up to Rs 250 crore for non-compliance. The rules under the act are still being finalized as of early 2026, so it’s hard to say how strictly they’ll be enforced. The Data Protection Board of India, which is supposed to handle complaints and impose penalties, is still getting up and running.

What To Do After Your Data Gets Breached

Given the sheer volume of breaches in India over the past eight years, there’s a good chance your data has been exposed at least once. Probably more. Here’s what you can actually do about it—not theoretical advice, but practical steps.

Check Whether You’ve Been Affected

Go to haveibeenpwned.com and enter your email addresses. The site tracks known breaches and will tell you which ones include your data. It won’t catch everything—many Indian breaches don’t make it into their database—but it’s a decent starting point. You can also set up alerts so you’re notified if your email appears in future breaches.

Change Your Passwords—Seriously, All of Them

If you’ve been reusing the same password across multiple sites (and most people do), a breach at one service means every account with that password is compromised. Install a password manager like Bitwarden (free and open source) or 1Password and generate unique passwords for every account. Yes, it’s a pain to set up. Do it on a Saturday afternoon with a cup of chai and get it done.

Move Beyond SMS OTP

SMS-based one-time passwords are better than nothing, but they’re vulnerable to SIM swap attacks—especially relevant given that telecom data has been breached. Where possible, switch to app-based authentication using Google Authenticator, Microsoft Authenticator, or Authy. For your most sensitive accounts (email, banking), consider a hardware security key like a YubiKey.

Monitor Financial Accounts Closely

Set up transaction alerts for every bank account and credit card you hold. Most Indian banks let you set SMS and email alerts for transactions above Rs 0—meaning you’ll know immediately if someone charges something to your account. Check your CIBIL report periodically (you’re entitled to one free report per year) to look for accounts or loans you didn’t open.

Lock Your Aadhaar Biometrics

If you haven’t already, go to the UIDAI website or the mAadhaar app and lock your biometric data. This prevents anyone from using your fingerprints or iris scans for authentication until you unlock them. You can also generate a Virtual ID (VID) to share instead of your actual Aadhaar number when services request it.

Be Skeptical of Unexpected Contacts

After a breach, the data often gets used for targeted phishing. If someone calls or emails you with specific personal details—your address, your recent orders, your policy number—don’t assume they’re legitimate just because they know those things. Breached data makes social engineering attacks far more convincing. Hang up and call the company directly using the number on their official website.

Where This Goes From Here

India’s data breach problem isn’t going to fix itself. The DPDP Act’s rules are still being written, the Data Protection Board hasn’t flexed any enforcement muscle yet, and companies continue to collect enormous amounts of personal data with security practices that range from “adequate” to “nonexistent.”

Some things might change in the next few years. The DPDP Act’s penalty provisions could scare companies into investing more in security—Rs 250 crore is real money, even for large corporations. CERT-In’s six-hour reporting window, if actually enforced, would make it much harder for companies to quietly cover up breaches. And as India’s cybersecurity talent pool grows, more organizations might finally have people on staff who know what they’re doing.

But I wouldn’t hold my breath for rapid improvement. The incentive structures still favor collecting data over protecting it, the regulatory machinery is new and untested, and the sheer volume of digital records being created in India—a billion-plus population going online at incredible speed—means the attack surface keeps getting bigger.

The most honest advice? Assume your data is already out there. Act accordingly. Protect what you can, monitor what you can’t, and don’t trust any organization—government or private—to keep your information safe just because they say they will. The timeline above should tell you exactly how much those promises are worth.