By Anuradha Gandhi, Rachita Thakur and Abhishekta Sharma
Introduction
In October 2025, a communication platform with over 200 million active users worldwide disclosed a significant data breach that originated not from its own systems, but from a compromised third-party customer service provider. An attacker compromised the systems of the third-party customer service provider gaining unauthorized access to the support ticket queue containing sensitive customer information. The incident impacted a select group of users who had recently communicated with the platform’s Customer Support or Trust and Safety teams.[1]
Scope of data compromised
The exposed information includes[2]:
- Your name, platform username, email and other contact details if you provided them
- Limited payment information, including payment type, last four digits of your credit card, and purchase history if associated with your account
- IP addresses
- Messages and attachments sent to our Customer Support or Trust & Safety agents
- Government ID images
Third-Party Service Provider Dynamics
The incident highlighted a critical vulnerability in modern business operations: the reliance on third-party vendors for essential services. While the platform maintained that its core systems remained secure, the compromise of its customer service provider’s infrastructure created a pathway for unauthorized data access, demonstrating how data fiduciaries remain exposed to risks beyond their direct control.
India at the Digital Inflection Point: New Vulnerabilities Emerge
India has crossed a significant digital inflection point, with more than 86% of households now having internet access, highlighting the significant strides made through the Digital India initiative.[3] This unprecedented growth has created a vast attack surface for cybercriminals and state-sponsored actors. The sharp rise in cybersecurity incidents from 10.29 lakh in 2022 to 22.68 lakh in 2024 underscores the escalating scale and sophistication of digital threats facing the country.[4]
The financial impact of these vulnerabilities is also substantial. Cybercrime losses in India are projected to reach ₹20,000 crores across sectors in 2025, with banking and financial services bearing the brunt at ₹8,200 crores, followed by retail and e-commerce at ₹5,800 crores. These statistics underscore why robust breach reporting mechanisms have become essential for India’s digital infrastructure protection.[5]
Understanding Personal Data breach
In this context, understanding what constitutes a personal data breach becomes crucial. The Digital Personal Data Protection Act, 2023 (hereinafter referred to as DPDP Act, 2023) provides a comprehensive definition of personal data breach under Section 2(u) as “any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data.[6]
The Responsibility Paradigm: Data Fiduciary Obligation
Under the DPDP Act 2023, when a data fiduciary engages a data processor for personal data processing, the fiduciary retains ultimate responsibility for data protection compliance. This principle proves particularly relevant in third-party breach scenarios. Section 8 of the DPDP Act provides key obligation of data fiduciary, such as:
- Shall implement reasonable technical and organisational safeguards to prevent personal data breaches[7] and extend these safeguards contractually to all third-party data processors.
- Fiduciary must ensure processor follow adequate security standards and promptly report incidents.
- In case of breach data fiduciary shall notify both the Data Protection Board of India and affected individuals in such form and manner as prescribed.[9]
- Shall collect only necessary data, use it for specified purposes and erase it once no longer required.
India’s Reporting Framework: IT Act, 2000 and DPDP Act, 2023
India operates on traditional cybersecurity incident reporting under the IT Act, 2000 with privacy-focused breach notification under the DPDP Act 2023.
Information Technology Act, 2000
The IT Act, 2000 designates CERT-In as the national cybersecurity agency under Section 70B, with broad powers to collect, analyze, and disseminate cyber incident information. CERT-In’s 2022 directions established some of the world’s most stringent breach reporting requirements.[10]
Six-Hour Reporting Mandate: All entities must report cybersecurity incidents, including data breaches, credential compromises, and malware intrusions, within six hours of detection. This timeline applies regardless of breach severity or impact assessment.
Comprehensive Incident Categories: Reportable incidents include data breaches, website defacements, malware infections, denial-of-service attacks, and unauthorized access attempts.
Technical Reporting Requirements: Reports must include incident timestamps, affected systems, attack vectors, impact assessments, and immediate containment measures.
Log Retention Mandates: Entities must securely retain Information and Communication Technology (ICT) system logs for 180 days, with accurate timestamping using Indian Network Time Protocol (NTP) servers.
Subscriber Data Obligations: Telecom VPN, VPS and data center operators must maintain subscriber/customer identification records for five years.
Enforcement Tools: CERT-In may issue formal directives to affected entities and initiate legal action; non-compliance can carry fines and up to one year of imprisonment.
Section 43A of the IT Act, 2000
Section 43A of the IT Act,2000 read along with SPDI Rules creates liability to pay compensation in case entity fail to implement reasonable security practices and such negligence results in unauthorised access, disclosure, or misuse of personal data.[11]
DPDP Act, 2023
The DPDP Act introduces a parallel reporting framework focused on individual privacy protection rather than cybersecurity incident management. Data fiduciaries must notify the Data Protection Board “without delay” upon breach discovery, followed by detailed reporting within 72 hours.
Further, affected data principals must receive direct breach notifications from data fiduciary, including incident details, potential impacts, and protective measures taken.
The DPDP Act also imposes penalty up to 250 crore for breach related violation caused due to inadequate security safeguard leading to breach and up to 200 crore for failure to notify breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach and additional penalties for violations involving children’s data.
Sectoral Reporting Complexity
India’s regulatory landscape extends beyond CERT-In and the Data Protection Board, creating multiple reporting obligations for different sectors.
Reserve Bank of India
The Reserve Bank of India provides for Template to report Cyber Incidents. The breach shall be reported to RBI within two to six hours and to provide subsequent updates if the earlier reporting was incomplete i.e. investigation underway or new information pertaining[12] to the incident has been discovered or as per request of RBI.
Telecommunication Sector
The Telecom Cyber Security Rules, 2024[13] specifies that if any security incident affect a telecommunication entity, such entity shall report the same to Central Government within six hours of such incident mentioning the number of users affected, duration of incident, geographical area affected, etc.
Insurance Regulatory and Development Authority of India
Regulated Entities shall report any cyber incident to IRDAI within 6 hours of such occurrence or being bought to notice and maintain and monitor ICT infrastructure and application logs for 180 days.
Global Context on breach reporting and Comparative Analysis
India’s approach to data breach reporting represents one of the world’s most comprehensive frameworks. While the General Data Protection Regulation (GDPR) under Article 33 requires 72-hour breach reporting to supervisory authorities[14], India’s dual system combines this with CERT-In’s six-hour cybersecurity incident reporting.
The notification shall inform the nature of breach, number of affected party and category of personal data record concerns. Further shall inform name and contact details of data protection officer and likely consequence of such breach and what measures were taken to protect data.
Conclusion
India’s data breach reporting framework represents one of the world’s most comprehensive regulatory approaches, combining rapid cybersecurity incident reporting with detailed privacy protection measures.
As the country continues its digital transformation journey, the regulatory framework will likely evolve further, potentially introducing additional reporting requirements and enforcement mechanisms. Organizations must view breach preparedness not as a technical IT concern but as a fundamental governance and legal imperative requiring board-level attention and comprehensive risk management strategies.
[1]Update on a Security Incident Involving Third-Party Customer Service
[3] https://www.pib.gov.in/PressNoteDetails.aspx?NoteId=155384&ModuleId=3
[4]ibid
[5]Indian entities may lose Rs 20,000 cr to cyber crimes in 2025: CloudSEK Report – The Economic Times
[6]Section 2 in THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
[7]§ 8(4) of the Digital Personal Data Protection Act, 2023
[8]§ 8(5) of the Digital Personal Data Protection Act, 2023
[9]§ 8(6) of the Digital Personal Data Protection Act, 2023
[10]https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
[11]https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077&orderno=49
[12]https://www.rbi.org.in/commonman/Upload/English/Notification/PDFs/NT41802062016.pdf