From AIIMS to IRCTC: What do India’s Biggest Data Breaches Teach Us

From the AIIMS ransomware attack to the IRCTC data leak, India has witnessed some of the most alarming data breaches in recent years. These incidents raise a crucial question: Are organizations doing enough to protect their most valuable asset—data? The urgency is clear: Check Point Software’s report reveals that Indian organizations face 3,291 weekly cyber attacks—44% more than the global average.
As companies continue transitioning to digital platforms, many overlook essential data protection strategies, leaving sensitive information exposed. The major breaches in India highlight the urgent need for leaders to adopt proactive measures to safeguard sensitive data and minimize future risks.

This blog will explore the lessons from some of the major breaches in the country, the risks organizations need to address, and why strengthening data protection measures is no longer optional but a business necessity.

The State of Data Security in India: A Wake-Up Call

India’s digital growth has made services like healthcare, telecom, and e-commerce more accessible to a broader population, but it has also increased the risk of cyber attacks. As a result, data breaches are having a growing impact across all sectors. They expose the personal information of citizens, cause financial losses and reputational damage to businesses, and threaten the security and public trust in government institutions.
According to SISA, 7 in 10 organizations in India are likely to experience a data breach in the coming year, showing the need for stronger data protection strategies. Additionally, IBM reports that compromised credentials are the leading cause of data breaches. In fact, a KnownHost study found that many people are still using easily guessable passwords, so it’s no wonder that data breaches continue to happen.
Let’s take a closer look at some of the major data breaches in India to understand the full extent of the seriousness of this issue.

• AIIMS ransomware attack: Cyber criminals locked access to over two terabytes of patient data, affecting vital medical records. This breach disrupted healthcare services across AIIMS, compromising sensitive patient information. The attack was caused by ransomware exploiting vulnerabilities in outdated systems, underlining the urgent need for system updates and stronger cyber security in healthcare institutions.
• Telecom data breach: The personal data of 750 million telecom users was exposed, including sensitive information like names, addresses, mobile numbers, and Aadhaar details. This breach occurred due to weaknesses in the telecom sector’s database and poor security practices, leading to unauthorized access. The breach has raised significant concerns about the security of India’s telecom infrastructure.
• IRCTC data leak: Over 30 million railway passenger records were compromised, including sensitive details such as names, contact information, and travel history. The breach happened due to vulnerabilities in IRCTC’s database and a lack of proper access controls, allowing cyber criminals to infiltrate the system. The large-scale leak of public data demonstrates the risks in essential services like transportation.
• ICMR data breach: Sensitive personal data of over 81.5 million Indians, including Aadhaar numbers, passport details, and contact information, was compromised. The breach was caused by weak security measures and failure to properly secure ICMR’s public health database. This exposed critical health data to cyber criminals, highlighting the vulnerability of government systems in safeguarding public data.
• Boat data breach: The personal data of 75 lakh users was exposed, including sensitive customer details. The breach occurred due to a vulnerability in Boat’s database, which allowed unauthorized access. This incident highlights the need for e-commerce platforms to implement more security measures, given the volume of personal data users share on these platforms.

Even though these events took place in different sectors, they all share some common reasons. While the scale of each breach varies, the overall impact is evident in the massive amount of compromised data, which has affected millions of users and raised significant concerns about the security of sensitive information.

What These Data Breaches Teach Us

These breaches highlight several critical lessons for organizations across India. By reflecting on these incidents, we can identify key areas where businesses and government bodies must improve in order to protect citizens’ data and maintain trust.

1. Collecting more data than necessary– Collecting too much data can create privacy issues. It’s important to only keep the information you really need and to make sure only the right people have access to it. Limiting access reduces the chances of data being exposed and helps reduce the potential damage from a breach. Additionally, once the data is no longer needed, it should be securely deleted. This practice minimizes the amount of sensitive information stored and reduces the risk of exposure if systems are compromised.
2. Overlooking risks from third-party partners-Many organizations forget that their suppliers and service providers can be a weak link. If these third-party partners are not secure, cyber criminals can use them to access your data. It’s essential to ensure that your partners follow the same security standards you do and periodically check that they maintain those standards.
3. Overlooking the risks of outdated systems-Organizations often invest in new systems but don’t give enough attention to maintaining their existing ones. Many still use outdated systems that don’t get regular updates or security patches. Similarly, weak database protection practices, such as poor access controls and inadequate use of encryption, can expose data to cyber criminals. It’s critical to periodically update systems, use encryption, and ensure databases are securely configured to protect sensitive data from unauthorized access.
4. Underestimating the impact of data breaches-Many organizations do implement security measures, but they often underestimate the full impact a data breach can have on their operations, reputation, and customer trust. Security isn’t just about having basic measures in place; it’s about understanding the potential consequences of a breach and preparing accordingly. Investing time in security checks and employee training may seem time-consuming, but it’s far less costly than dealing with the aftermath of an attack. The real risk lies not in over-preparing but in assuming that basic measures are enough.
5. Focusing too much on technology, not enough on people-While having the latest technology is important, it’s easy to forget that the people in your organization and the processes they follow are just as important. Employees need to be trained on security practices, and everyone should follow clear procedures to keep data safe. Regular training and communication can help create a culture where security is everyone’s responsibility.

The Change We Must Embrace for Better Data Security

Data breaches will continue to occur as long as organizations and individuals remain vulnerable. While we can’t completely prevent them, we can take steps to reduce their impact. Interestingly, 74% of all data breaches involve human factors, such as mistakes, misuse of access, or falling for scams. This shows that protecting data is not just about technology but also about the people using it.

As we move into 2025, first and foremost, our thought process needs to change. Despite the vast amount of information available online, people often get confused about how to protect their data and treat it as a good-to-have rather than a necessity. However, data protection can be achieved by laying the right foundation. What everyone needs is proper guidance and information to help ensure they are following best practices.

Moving forward, the future of data security depends on strengthening security practices to keep pace with growing threats. It’s our shared responsibility as leaders to prioritize the protection of data and set an example for our organizations.