Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.

Sign up for Newsletter Get in touch

Table of content

Last Updated: 2025-07-01 ~ DPDP Consultants

June 2025 Data Breaches: A Wake-Up Call for DPDPA Enforcement in India

Illustration showing India's June 2025 data breaches and the urgent need for DPDPA enforcement.

June 2025 Data Breaches: A Wake-Up Call for DPDPA Enforcement in India

Introduction

As India navigates the digital decade, the security and governance of personal data have taken center stage. In June 2025 alone, a series of high-profile data breaches exposed the sensitive personal information of millions of Indian citizens, reigniting the urgent call for robust data protection enforcement. Despite the enactment of the Digital Personal Data Protection Act (DPDPA), 2023, the absence of timely implementation mechanisms, most notably the non-operational Data Protection Board of India (DPBI) has left significant regulatory gaps.

Key Incidents in June 2025

1. Zoomcar Breach – 8.4 Million Users Affected

On June 9, 2025, cybersecurity researchers revealed that Zoomcar, India’s popular car-sharing platform, had suffered a breach exposing the data of over 8.4 million users. The leaked information included names, email addresses, phone numbers, trip histories, and partial payment data—making users vulnerable to phishing and identity theft.

2. Ransomware Attack on Surya Shakti Infotech (Kolkata)

On June 19, 2025, Surya Shakti Infotech, a private IT firm responsible for managing the admission systems of several prominent Kolkata colleges was hit by ransomware. The attack compromised admission databases, altered fee payment links, and delayed admissions for thousands of students across institutions like Scottish Church College and Surendranath College.

3. Compilation Leak of Indian Credentials

Amid a global leak of over 16 billion username-password combinations, a large portion of the credentials reportedly belong to Indian users. These data sets, compiled from past and fresh breaches, have surfaced on darknet marketplaces and can be used for credential stuffing and account takeover attacks across financial, e-commerce, and government portals.

 

The DPDPA Gap: Why Enforcement Cannot Wait

While the Digital Personal Data Protection Act, 2023 was enacted to empower individuals (Data Principals) and hold organizations (Data Fiduciaries) accountable, its implementation remains stalled. Key provisions such as consent-based data processing, data minimization, purpose limitation, and grievance redressal are yet to be enforced due to:

  • The non-functional status of the Data Protection Board of India, which is central to adjudicating breaches and enforcing compliance.
  • The absence of notified Rules and Standard Operating Procedures (SOPs) under the Act.
  • Lack of mandatory Data Protection Impact Assessments (DPIAs) in high-risk processing activities, like those in fintech, edtech, and mobility platforms.

Why this matters:

Breach Impact

DPDPA Protection (If Enforced)

Unauthorized processing of personal data

Would violate Section 4–6 on lawful processing & consent

No breach notification to users

Section 8 mandates breach reporting to Data Principals

No remedy or redressal mechanism

Data Protection Board to adjudicate penalties & claims

Data minimization not applied

DPDPA mandates purpose limitation & necessity principles

 

The Road Ahead: Immediate Policy Priorities

In light of these breaches, the following steps are imperative:

  1. Operationalize the Data Protection Board of India (DPBI)
    Without a functioning regulator, the DPDPA is toothless. Appointing the Chairperson and issuing a commencement notification should be prioritized.
  2. Mandate Registration of Significant Data Fiduciaries (SDFs)
    Platforms processing high-risk or large-scale data (like Zoomcar, education tech providers, etc.) should be designated SDFs and subjected to additional compliance measures.
  3. Strengthen Cyber Hygiene Across Sectors
    Mandatory audits, consent mechanisms, and data localization standards need enforcement across digital services handling critical personal data.
  4. Launch Public Awareness Campaigns
    Educating citizens on how to exercise their data rights under DPDPA is essential to build a culture of digital trust and accountability.

 

Conclusion

The June 2025 breaches are not isolated incidents they are symptoms of a broader regulatory vacuum. As India races towards a trillion-dollar digital economy, ensuring the safety and dignity of its citizens' data is non-negotiable. The Digital Personal Data Protection Act, 2023 offers a strong legal foundation, but without immediate operationalization and enforcement, its potential remains unfulfilled.

The question is no longer if the DPDPA should be enforced but how quickly we can act before the next breach becomes tomorrow’s headline.

 

Similar Read

Cookie Management Under the DPDP Act, 2023: A Compliance Imperative for Indian Organisations

Cookie Management Under the DPDP Act, 2023: A Compliance Imperative for Indian Organisations

DPDP Act & Secondary Data Use: Rules, Consent, Compliance

DPDP Act & Secondary Data Use: Rules, Consent, Compliance

Data Minimisation: A Strategic Imperative in the Age of Privacy and Compliance

Data Minimisation: A Strategic Imperative in the Age of Privacy and Compliance

Valid Consent Management Under the DPDP Act, 2023: What Every Organization Needs to Know

Valid Consent Management Under the DPDP Act, 2023: What Every Organization Needs to Know