Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

The Ministry of Electronics and Information Technology (MeitY) has initiated an official inquiry into the potential exposure of Indian citizens' personal data following reports of a major global data breach involving approximately 16 billion digital accounts.

This data leak, being described as one of the largest of its kind globally, has reportedly compromised usernames, passwords, and sensitive personal details sourced from multiple platforms, including Apple, Facebook, Google, GitHub, and Telegram, as well as various government service portals.

According to senior government officials, MeitY has directed the Indian Computer Emergency Response Team (CERT-In) to coordinate with intermediaries, data centers, corporate entities, and relevant government organizations to assess the presence and scale of Indian data within the breached datasets. CERT-In is expected to report its findings in accordance with India’s cyber incident response protocols.

"Given the scale and scope of this breach, there is a high probability that Indian users’ data has been affected," a government official stated, emphasizing the need for a prompt and coordinated response.

Initial findings by Cybernews, a global cybersecurity research outlet, suggest that the compromised data is dispersed across 30 databases and was likely harvested by various infostealer malware. The databases vary significantly in size, with the largest reportedly containing over 3.5 billion records—believed to be tied to a Portuguese-speaking demographic—while even the smallest dataset includes upwards of 16 million entries.

Despite attempts by the media to seek clarifications, major tech companies named in the breach like Apple, Meta, Google, and Microsoft have yet to respond regarding their awareness of the leak or the potential compromise of Indian user data.

Cybersecurity experts are now underscoring the urgency for both users and enterprises to move beyond traditional password protections. Vijender Yadav, Co-Founder and CEO of Accops, a cybersecurity solutions provider, stated, "The time for reactive password resets is over. Organizations must adopt robust multi-factor authentication (MFA), including biometric verification, to ensure deeper levels of protection against credential-based attacks."

This development also brings renewed focus on the cyber incident reporting norms issued by MeitY in 2022. Under these guidelines, all entities are required to report cyber incidents to CERT-In within specified timelines and provide details on the attack's nature, affected systems, the scale of data loss, and whether impacted users have been notified. Additionally, organizations are mandated to maintain a 180-day rolling log of all IT and system activity, stored within Indian borders, and be ready to submit such logs upon request.

As the investigation unfolds, both government bodies and private organizations are expected to reinforce their cyber preparedness and transparency in line with national cybersecurity protocols.