Major Indian Companies Fall Victim to Cyber Threats as Security Firms Profit
A troubling trend has emerged in India’s cybersecurity landscape, revealing that several prominent companies have fallen victim to significant data breaches over the past few years. As corporations grapple with the ramifications of these attacks, cybersecurity consulting firms appear to be reaping financial rewards without delivering adequate security improvements. This report highlights notable breaches that occurred between April 2022 and April 2025, detailing the implications for affected organizations and the prevailing issues within the cybersecurity sector.
Among the companies targeted by cybercriminals, Air India reported a breach impacting sensitive passenger data, including names and passport details, affecting over 4.5 million customers worldwide. This incident underscores the vulnerabilities present in global travel operations and raises alarms over data stewardship in the airline industry. Similarly, BigBasket experienced a breach that exposed over 20 million user accounts, releasing email addresses, hashed passwords, and personal order information, which has since surfaced for sale on the dark web.
Telecom giant Bharat Sanchar Nigam Limited (BSNL) suffered a breach that compromised network configurations and employee data, exacerbating concerns regarding the security of Indian telecommunications infrastructure. Online travel services provider, Cleartrip, faced unauthorized access, leading to the exposure of customers’ travel information, while Jubilant FoodWorks, the parent company of Domino’s India, suffered the theft of 13 terabytes of data, including significant credit card records of over one million customers. These breaches illustrate the breadth of sectors affected, from aviation and e-commerce to telecommunications.
The repercussions of such attacks extend beyond immediate data loss. The State Bank of India reported compromised SMS logs and account details resulting from phishing and system misconfigurations, highlighting deficiencies in banking cybersecurity measures. The healthcare sector is also not spared; Star Health Insurance faced a breach that leaked over 6 million sensitive medical records, raising critical concerns regarding patient privacy and data protection principles.
As these breaches unfolded, there has been increasing scrutiny over the roles played by cybersecurity firms in India. Critics argue that many consulting companies prioritize compliance over genuine security, providing generic solutions that often do not address the specific threats facing businesses. The prevalence of performative compliance, driven by regulatory mandates, can lead to a false sense of security, as firms engage in risk management that falls short of tangible security improvements.
The investigation following breaches is often superficial, as forensic reports focus on rapid assessments rather than root cause analysis, leaving organizations vulnerable to subsequent attacks. Despite steep fees charged by these firms, the ineffectiveness of their measures raises questions about the real return on investment for companies seeking robust cybersecurity solutions.
Moreover, the role of threat intelligence providers in India has come under scrutiny as well. These entities typically offer costly services that promise actionable insights into cybersecurity threats, yet deliver generic information that lacks specificity or context. In a nation grappling with an uptick in breaches, such as those seen at BSNL and State Bank of India, the failure to leverage threat intelligence effectively only exacerbates vulnerabilities.
The current landscape reveals that cybersecurity in India has increasingly devolved into a compliance-driven industry, where the priority lies in meeting regulatory requirements rather than fostering an environment of proactive security measures. This compliance-centric approach has implications for the overall resilience of organizations facing sophisticated cyber threats.
As India’s digital landscape continues to evolve, there is an urgent need for reform in the cybersecurity ecosystem, particularly regarding accountability among service providers. Stricter regulations and enhanced oversight could deter negligence and cultivate a culture centered on substantial security rather than compliance for its own sake. The recent breaches beg a critical question: What measures will be implemented to ensure that those responsible for cybersecurity are held accountable for their performance, ultimately reinforcing trust in the nation’s digital infrastructure?
This evolving narrative serves as a call to action for stakeholders across industries to reassess cybersecurity strategies and challenge the status quo in a landscape fraught with risk. As businesses strive to fortify their defenses, a comprehensive approach that transcends mere compliance will be vital in addressing the cyber threats that loom over India’s corporate sector.
