What Is the Average Cost of a Data Breach in India?

Axel Sukianto
Axel Sukianto
updated Sep 02, 2022

According to the IBM Security Data Breach Report of 2022, India's average data breach cost is at a record high of Rs 17.6 crore (Rs 175 million, which is around $2.2 million) for the fiscal year of 2022.

This is a 6.6% increase from last year's Rs 16.5 crore and an uptick of 25% from the average cost of Rs 14 crore in 2020, as stated by IBM analysts.

Additionally, India's average per-record data breach cost has reached an 11-year high of Rs 6,100, which is a 3.3% increase from Rs 5,900 in 2021, and a 10.4% rise of Rs 5,522 since 2020, as stated by the same IBM reports.

IBM’s findings are based on a real-world analysis of data breaches that affected more than 550 companies between March 2021 and March 2022. Around this time, almost 30,000 records, on average, have been breached by March 2022.

While presenting at IBM Security Command Center, the Vice President of IBM Technology Sales and IBM India/South Asia, Viswanath Ramaswamy, stated:

“As the digital onslaught of transformation goes higher and higher, the vulnerability coefficient also goes higher. It is a straight mathematical equation. It’s been proven in this report.”

He also notes: “The India findings illustrate the growing magnitude of the threat over time. Businesses cannot evade cyberattacks.”

India Ranks Seconds in Terms of Data Breaches Events

According to Surf Shark, India ranked second in the world by the number of data breaches for Jan-Jun 2022 and 14th in terms of average data breach costs.

For comparison, the global average cost of a data breach has reached a new record of $4.35 million in 2022 for surveyed organizations, as reported by IBM.

With the ever-increasing digitalization of social and economic sectors, governments take the importance of understanding privacy and data protection much more seriously.

As of today, a single data breach costs India’s govt. Rs 17.6 crore, which is around USD 2.2 million. IBM calls the cyber attacks "the biggest challenge" to the industry.

Learn why vendor risk management is critical for businesses in India.

How Data Breaches Affect India

Industrial companies have suffered the most damage from cyberattacks, as the cybersecurity “threat magnitude” saw a record number of instances of data breaches for the first half of 2022.

According to the IBM findings, the three factors associated with the highest cost increase are:

  • Cloud migration (more often when an organization migrates to a cloud server);
  • IoT and OT (Operational Technology) environment factors;
  • Third-party involvement.

Ramaswamy remarks: “Today, we have reached a point where cyberattacks are evolving into market stressors, hurting the economy.”

He states that hackers exploit the circumstances to attack important organizations with ransomware, ultimately leading to a “cyber tax” in which businesses can pass the costs of a data breach on to the consumer.

“60% of global businesses have raised their prices due to the data breach, contributing to inflation and inadvertently passing the cost on to customers.”

The top three primary initial attack vectors for a data breach in India are:

  • Rs 21.6 crore for stolen/compromised credentials;
  • Rs 20.6 crore for phishing;
  • Rs 19 crore for accidental device and data loss.

On a global level, phishing is the costliest breach cause.

Click here to get a free preliminary evalutaion of your organization's data breach risk.

Surf Shark Reports on India’s Data Breach Issues

As of August, India ranks sixth as the most infiltrated country, according to the Netherlands-based cybersecurity firm Surf Shark VPN.

The reports and analysis from Surf Shark reveal that for the past 18 years, there have been almost 15 billion leaked accounts across the globe, and “a striking 254.9 million of them belong to users from India.”

Surf Shark Reports on Personal Info and Data Point Vulnerabilities

According to the Surf Shark reports, 962.7 million Indian data points have been leaked since 2004. A “data point” is a numerical entity given to any piece of information belonging to an individual, and it can be a name, age, bank account, and phone number.

Half of every ten compromised accounts are stolen together with passwords. For better context, 18 in every 100 Indians have suffered personal info theft from cyber attacks since 2004.  Most of the data points are names, telephone numbers, and passwords.

In the first quarter of 2022, approximately 304 Indian accounts were being breached by the minute. As of August 2022, India’s data breach rate is a staggering 740% higher than in Q1, which is an alarming statistic.

Surf Shark was the second big VPN service to shut down their servers in India. This decision was a reluctant response to the country’s recent cybersecurity policy that mandated VPNs to record and keep customers’ logs for 180 days and their customers’ data for at least five years.

Surf Shark experts believe that the lack of privacy legislation may put India’s users’ critical data in danger of being stolen, used, or sold.

They state: “While the country’s tech industry proves to be affluent, the protection of personal digital data falls short compared with international standards.”

Authoritative news sources also suggest that India’s digital privacy weakens with every new cybersecurity bill, while the current laws and regulations are outdated.

The Aadhaar Database Data Breach

The Aadhaar database data breach is reportedly India’s most concerning cybersecurity incident in which more than a billion IDs of Indian citizens were leaked and exposed.

According to the World Economic Forum’s Global Risks Report in 2019, it was the most significant data breach in the world for 2018.

Slow Response Time

Information gathered from the IBM Security reports states that organizations with less than 50% remote-work adoption took 212 days as the average time to identify a data breach.

Data breach containment took an average of 75 days.

Organizations with over 50 percent remote work adoption took 266 days on average to identify a data breach and 91 days to contain it.

The average mean time to identify a breach decreased from 239 to 221 days, and the average mean time to contain a data breach rose only marginally from 81 to 82 days.

Proposing New Directives and Guidelines

The study notes that India’s CERT-In (Computer Emergency Response Team) has a new cybersecurity directive, which gives VPNs (virtual private networks) 5 years to store user data on a know-your-customer basis.

“The new CERT-In directive calls companies to extensive data collection within Indian jurisdiction, putting even more of users’ data at risk to be breached,” the study points out.

Interestingly, the report emphasizes that the average mean time to identify a data breach in India had decreased from 239 to 221 days in 2022, while the average time to contain a data breach increased from 81 to 82 days.

6-Hour Deadline to Report a Data Breach

On April 28, 2022, the Indian Govt. issued strict guidelines for Cybersecurity Incident Reporting. The new legislation drastically shrinks the data breach reporting deadline compared to the period before the guidance was enforced. Reporting and notifying that a cyber incident had occurred was only required “within a reasonable time” after being identified. 

The reporting window now is significantly shorter than those in the EU or USA, and the short timespan doesn’t give Indian organizations enough time to establish the procedures required for a detailed data breach report to be given to CERT-In (the Indian Computer Emergency Response Team).

Learn more about India’s 6-hour data breach reporting rule.

Withdrawing the Personal Data Protection (PDP) Bill

The Indian Govt. proposed the Personal Data Protection (PDP) Bill in Lok Sabha on December 11, 2019. The bill was to protect Indian citizens’ privacy and data online.

However, despite long and arduous legislative changes and consulting processes, the long-awaited bill was withdrawn in August 2022.

Union Information and Technology Minister Ashwini Vaishnaw said the decision was based on several amendments proposed by the Joint Committee of Parliament (JCP), assuring that the Indian government can prepare a new bill in the near future.

Experts advise that India urgently needs a new and improved data protection bill that better safeguards privacy and personal information without increasing exemptions to state cybersecurity agencies.

Adopting Zero-Trust Deployment for Data

Ramaswamy suggested adopting zero-trust deployment to protect India’s data.

“To stay on top of growing cybersecurity challenges, investment in zero-trust deployments, mature security practices, and AI-based platforms can help make all the difference when businesses are attacked,” Ramaswamy advises.

The IBM Cost of Data Breach analysis reports that India’s organizations in the mature stage of adopting zero-trust deployment procedures faced Rs 160 million in data breach costs.

Early-stage cloud security organizations dealt with more than Rs 200 million in data breach costs. In comparison, organizations without a zero trust deployment witnessed a Rs 246 million total cost of a data breach.

“Keeping security capabilities flexible enough to match attacker agility will be the biggest challenge as the industry moves forward,” states Ramaswamy.

Affected Sectors and Industry Costs

India’s industrial sector, of which the most damaged were the manufacturing, chemical, and engineering sectors, had suffered a record average breach worth Rs 9,024.

The services industry sector comes second (legal, accounting, and consultancy), with a Rs 7,085 average.

Finally, the technology sector (software and hardware companies) reported Rs 6,900.

Global Healthcare Data Breach Costs

On a global level, healthcare data breach costs totaled a first-ever all-time high record of $10.1 million, hitting double digits and surpassing all other affected industry branches.

According to the annual IBM Cost of a Data Breach Report, the average healthcare data breach cost is the highest in 12 years. The average cost of a breach in the U.S. is $9.44 million.

Post-Response Costs are Higher

The four cost categories that comprise data breach costs are lost business, detection and escalation, notification, and post-breach response.

The post-response costs, or the costs regarding measures and processes after a data breach occurs, are the largest of the categories mentioned above that comprise the data breach costs for six consecutive years.

Compared to India’s overall data breach costs, post-breach response costs significantly surpassed all other expenses with Rs 7.1 crore, an increase of 5.65% or Rs 6.7 crore from 2021.

Private and Public Bank Reports

Indian private banks report that data breaches from June 2018 through March 2022 were the highest in business and personal information theft.

According to data by the Indian Govt., private and public banks reported fraud of Rs 6,861 crore for Q1 2022.

Are You at Risk of a Data Breach?

Get a preliminary evaluation of your organization's data breach risk. Click here to request your free instant security score now!

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating