India DPDP Enforcement Tracker

Customer database (20M accounts) exposed via unsecured MongoDB instance. Data included names, email addresses, delivery addresses, phone numbers, and hashed passwords.

Payment processing infrastructure breach exposed masked card data and merchant transaction metadata for approximately 100 million users.

8.2TB of user data including KYC documents, Aadhaar copies, PAN cards, and card details made available on darknet. CERT-In investigation launched. Company disputed scale of breach.

180 million order records including customer names, phone numbers, email addresses, delivery addresses, and approximately 1 million credit card records exposed and indexed on a searchable dark web portal.

Data breach via SITA passenger system compromised 4.5 million Air India frequent flyer records including passport numbers, credit card data, date of birth, and ticket information.

KYC data of 2.5 million customers reportedly compromised via third-party data warehouse breach. CERT-In notice issued. Data included contact details, bank account information, and identity documents.

Ransomware attack on hospital servers affected an estimated 3-4 crore patient records. Hospital services were disrupted for over two weeks. CERT-In and NCIIPC investigated.

RBI imposed monetary penalty for non-compliance with Know Your Customer (KYC) directions including deficiencies in data handling, customer record maintenance, and periodic KYC update procedures.

Attackers harvested payment card data and personal details of approximately 500,000 customers via a skimming script injected into the booking website. ICO investigation found inadequate security testing and authentication.

Extensive secret surveillance of employees' personal lives at service centre in Nuremberg. Records included health conditions, family circumstances, religious beliefs, and private life details. Records were accessible to 50+ managers.

Scraped personal data of 533 million Facebook users made available on a hacking forum. Data included phone numbers, full names, dates of birth, email addresses, and biographical information. DPC found inadequate technical and organisational measures.

Processing of personal data for targeted advertising without sufficient legal basis or transparency. Decision held that Amazon tracked browsing and purchase behaviour for advertising without meeting the specificity and informed-consent requirements.

Data of 15 million UK individuals processed by Equifax Inc. without adequate oversight of its US-based data processor. ICO found failures in security controls and data governance of cross-border transfers.

Scraped biometric data of billions of individuals from public sources to build facial recognition database, without consent and without lawful basis. Multiple national DPAs imposed parallel penalties.

Starwood guest reservation database breach affecting up to 339 million guest records including passport numbers, payment card data, and contact details. Breach began pre-merger with Marriott and was undetected for four years.