One hit the Internet Archive, the world’s largest digital library, while the other targeted Star Health, one of India’s largest health insurers.

To put it in context, each breach exposed personal information equivalent to the entire population of Nepal. 

So, what does this tell us? Nothing, but also everything.

Despite the similarities, the two instances aren’t connected, so there’s no need to bring out the red string to hatch a conspiracy, with the number 31 tacked to a wall.

The takeaway is clear: Data breaches are happening frequently, they are affecting a staggering number of people, and their targets cut across different industries. 

Cost To People And Purse

Breaches of data are dangerous and expensive. Individuals whose personal information is exposed, face the risk of identity theft, financial fraud and long-term privacy violations. 

Breaches can lead to a loss of trust between consumers and organisations, potentially making it difficult for companies to recover. While correlation does not imply causation, it’s hard to ignore that after a major breach exposed 7.24 TB of sensitive data, the leading multinational health insurance company, Star Health & Allied Insurance, is still struggling in the stock market, trading near its lowest point this year with a “Strong Sell” recommendation.

The toll on people is an incalculable security risk, but the cost is more quantifiable in economic terms. In India, the average cost of a data breach reached an all-time high of US$ 2.35 million (Rs 19.8 crore approx) in the first half of 2024, according to a report published in July by IBM. 

While this was a 9 per cent increase from 2023, it marked an astounding 39 per cent rise since 2020. The most common cybersecurity attacks in India were phishing and stolen or compromised credentials, accounting for 18 per cent of incidents each.

India’s Cyber Vulnerability Landscape

India is one of the most vulnerable jurisdictions for cyber attacks. Vikram Jeet Singh, partner at law firm BTG Advaya, spoke to The Secretariat about why this is so. “India is one of the world’s biggest and most connected markets,” he says. “There is definitely a question of scale, with too many players and too many users that can overwhelm a system of checks and balances.” 

This vast digital landscape, while offering great opportunities, also presents a large attack surface for cybercriminals. According to India Cyber Threat Report 2023, the automobile industry is the most vulnerable.

This could be because of emerging attack areas such as smart mobility application programming interfaces (APIs) and electric vehicle (EV) charging infrastructure, according to the Report on Currency and Finance by the Reserve Bank of India (RBI).

Singh, a sector specialist in internet regulation and data privacy laws, chalks it down to the regulations. “There isn’t really any consistency in cybersecurity or even IT security regulations in India. Across the board, there aren’t any basic IT security standards mandated by the government. Different regulators mandate different standards,” he explains. 

That the Banking, Financial Services and Insurance (BFSI) sector accounts for only 2 per cent of the detected malware attacks, points to a secure sector, governed by well-defined regulations. 

Regulatory Gaps

India's cybersecurity landscape remains fragmented, with varying standards of implementation across industries. The lack of a unified, national cybersecurity policy, makes it difficult to enforce consistent standards, leading to disparities in how different sectors manage their data protection protocols.

“What this means is that when it comes to system security, there can be different IT architectures and configurations in India which only add to the chaos,” Vikram Jeet Singh says. He likens the situation to everyone having cars, but with engines that work in very different ways. 

“This adds to the complexity. There is no standardisation when it comes to security. The Indian government hasn’t issued binding rules around concepts like an encryption or data anonymisation standard,” he says. 

In the absence of a comprehensive cybersecurity and data protection law, the government has largely relied on existing frameworks such as the Information Technology (IT) Act, 2000, which defines cybersecurity.  

The Indian Computer Emergency Response Team (CERT-In) is the nodal agency that collects, analyses and disseminates information on cybersecurity cases, and takes emergency response measures. However, these measures are often criticised for lacking the enforcement power necessary to effectively address cybersecurity lapses. 

Then there are sectoral laws that mandate cybersecurity incidents be reported to the concerned regulator, such as the RBI or SEBI. The recent incident involving Star Health has led to the Insurance Regulatory and Development Authority (IRDAI) to increase scrutiny of security lapses in the insurance sector. 

Star Health itself pursued legal action, after its data was disseminated on Telegram using automated chatbots which raises questions about the liability of intermediary platforms in cases of data breaches. 

While platforms like Telegram are required to comply with court orders to filter illegal content, expecting them to police every piece of data is unrealistic. 

Although health data is more sensitive than, say, a mere list of email addresses, there isn’t a nationwide standard for different types of data. “Health data should be regulated at a higher level, but this presupposes that there is some baseline level of regulation followed across the board. There has to be a floor of regulation above which we can specify higher standards. That floor is missing right now,” Singh explains. 

Would You Know Your Data Has Been Breached?

At present, Indian companies aren’t required to notify consumers of personal data breaches. Under the CERT-In guidelines, organisations must report incidents to the government, but not to the affected individuals. 

“So unlike GDPR, there is currently no binding requirement under Indian law to essentially inform the users of their data breach,” said Singh, referring to the European Union’s General Data Protection Regulation rules, which have been regarded as the world’s most stringent rules protecting people’s personal data.

This lack of transparency leaves consumers in the dark about potential threats to their personal information. Although Indian users theoretically have the right to seek legal recourse, such lawsuits are rare due to the difficulty of establishing negligence in cybersecurity.

It’s common for data breaches to go unnoticed or for companies not to inform customers when one occurs. The initiative HaveIBeenPwned helps people check if their personal data has been exposed in breaches, showing the company, year, and type of information that was compromised. Users can then take measures to protect their data. 

However, the upcoming Digital Personal Data Protection Bill, currently awaiting implementation, is expected to introduce provisions that could enforce more transparency rather than having to rely on a public service website. 

The Bill lays out guidelines for the collection, processing and storage of personal data, ensuring individuals have greater control over how their data is used. 

The Way Forward

Automated processes, such as bots scraping data or even conducting cyberattacks, could complicate accountability.

“It is difficult to figure out who is responsible when information is obtained by scraping a website or database using an AI tool,” says Singh. “But once again, that's a very advanced problem for the future. We can’t think about it without taking care of security and regulation basics in India,” he says. 

As new attack vectors emerge and new technologies become mainstream, regulators must adapt quickly to prevent exploitation. What is required is a regulator with teeth that can compel organisations to follow IT security systems, and punishes non-compliance. 

There is a need for better public-private collaboration in cybersecurity. In many instances, the private sector has taken the lead in building strong defences, but without adequate government support, many organisations may fall short of implementing best practices.

“Until that comes into play, people will need to follow the self-empowerment and self-education model,” says Singh. Which is a kind way of saying that we’re on our own.

Until a new regulator is on the scene, people will need to educate themselves on the tools available online to reduce cyber vulnerabilities. A person can only be mindful of what terms and conditions they are agreeing to, what cookies they’re accepting and what data they are providing.