21 Jun 2026 · 9 min read
Between 2021 and 2025, every major Indian consumer category — aviation, retail, healthcare, fintech, edtech, electronics — has been hit with at least one publicly reported breach. Most Indians have appeared in at least one. The data does not disappear: phone numbers, addresses, partial payment details and account histories are bought, repackaged and re-sold on dark-web markets for years after a breach is 'resolved'. The DPDP Act 2023 closes the regulatory gap going forward — but it doesn't unwind the records already in circulation. That part is on you.
**The publicly reported incidents to know about.** *Air India (2021)* — a SITA Passenger Service System breach disclosed the names, dates of birth, passport details and frequent-flyer data of roughly 4.5 million passengers globally, including a large Indian cohort. *BigBasket (2020)* — names, emails, phone numbers and partial payment info for around 20 million users were posted for sale. *MobiKwik (2021)* — a disputed but widely reported leak of around 100 million records including KYC documents. *Domino's India (2021)* — order data and contact details of an estimated 18 crore orders. *AIIMS Delhi (2022)* — a ransomware attack disrupted hospital systems and exposed patient records. *BoAt (2024)* — reportedly 7.5 million customer records including names, addresses, phone numbers and order details surfaced on a hacking forum. These are the disclosed ones. The undisclosed list is longer.
**What fraudsters do with leaked data.** They don't sit on it. They build profiles. A name + phone + city + a single order history is enough to run a convincing scam: 'Hello sir, this is Vinay from Domino's customer care, we noticed your order on the 14th had a billing issue, can you confirm your card details?' They re-sell the file to lenders who run unauthorised credit pulls. They target SIM-swap attacks at numbers tied to high-value bank accounts. They feed the data into KYC bypass kits that let a third party open a fintech account in your name. The longer a breach stays unaddressed, the more downstream uses your data has.
**Step 1 — Check if you're in the dataset.** Use [Have I Been Pwned](https://haveibeenpwned.com) — enter your primary email; it will tell you which breaches included your record. The site is run by a respected Australian security researcher and is the most comprehensive public index. India-specific aggregators exist but most have weaker provenance — start with HIBP.
**Step 2 — Rotate the password on any account flagged.** If your email turns up in a breach, the password attached to it is in circulation. Change it on the breached service AND on every other service where you reused it (most people reuse — that's the bigger risk). A password manager (1Password, Bitwarden, Apple Keychain, Google Password Manager) reduces the cost of doing this from hours to minutes.
**Step 3 — Turn on multi-factor authentication.** SMS-based MFA is weak (SIM-swap defeats it) but is still better than nothing. App-based (Google Authenticator, Authy) is much stronger. Hardware keys (YubiKey) are strongest. For your primary email, your bank, your UPI app and your e-filing portal — at minimum, enable app-based MFA. Anyone who has your phone number from a leaked database can attempt SIM-swap or OTP-fishing; MFA blocks them.
**Step 4 — Freeze your CIBIL credit pull.** Indian credit bureaus (CIBIL, Experian, Equifax) let you request a credit-information lock or a fraud alert. It takes 10 minutes and stops new loans being taken in your name. If your KYC data leaked (Aadhaar masked number, PAN, address), this is the single most cost-effective step you can take.
**Step 5 — Audit consent on the apps that have your data.** Open each app's privacy settings and revoke any consent you can't justify: location 'always', microphone access, contacts access, SMS read access. Under Section 6 of the DPDP Act you have an absolute right to withdraw — if the app makes it hard, that itself is a complaint to the Data Protection Board. Start with the apps that hold the most sensitive data (banking, healthcare, dating, government).
**Step 6 — Use a junk email + a virtual UPI handle for low-trust sites.** When a quiz site, a 'free coupons' page or a one-time signup needs an email, give them a forwarding alias (SimpleLogin, Apple Hide My Email, Gmail + aliases). When you need to pay an unknown merchant on UPI, use a virtual handle that maps to your real account — and revoke it after the transaction. This breaks the join key that fraudsters rely on (your single email and single UPI ID across hundreds of services).
**Step 7 — File a Section 13 complaint when a site fails.** The DPDP Act gives Data Principals a formal complaint right to the Data Protection Board. If a site refuses to delete your data, refuses to withdraw your consent, or has been breached and didn't notify you — that's a complaint. Frivolous complaints carry a small penalty (₹10,000) so be substantive, but documented violations are exactly what the Board wants to see. A pattern of complaints is what triggers enforcement, and enforcement is what makes the DPDP Act real.
**The longer-term play.** Every Indian website you transact with is going to be required to publish a Section 5 notice, name a Grievance Officer, give you a working withdrawal flow and report breaches within 72 hours. Most are not there yet. You can speed up the timeline by using your rights actively: ask for your data, ask for it to be deleted when you're done, complain when you can't get either. The Board's enforcement priorities will follow the complaint volume. [Scan any site here](/scan) before you give it your data — the 60-second report tells you whether to trust it.
Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.