Personal Data Breach Register · DPDP §8.6
Notify DPB within 72hr · notify affected data principals · CERT-In notify within 6hr · auto-template ready
0
Active breaches
0
90-day count
4
Lifetime breaches
100%
72hr notify compliance
15d
Days since drill
Breach register · last 12 months
| Breach ID | Detected | Severity | Affected | Root cause | DPB notified | Status | |
|---|---|---|---|---|---|---|---|
| BRC-2025-0004 | 22 Aug 2025 · 14:32 | MEDIUM | 1,847 customers · names+masked PAN | vendor (Karza) SQL injection patched | 23 Aug · 09:15 (within 19hr) | closed · 30 Sep | |
| BRC-2025-0003 | 14 Jun 2025 · 02:18 | LOW | 1 internal user · log access | misconfigured S3 bucket policy | not required (low severity) | closed · 15 Jun | |
| BRC-2024-0002 | 18 Nov 2024 · 22:05 | HIGH | 42 customers · selfie photos exposed | misconfigured CDN cache, exposed to crawlers | 19 Nov · 08:30 (within 11hr) | closed · 22 Jan 2025 | |
| BRC-2024-0001 | 3 Mar 2024 · 11:42 | LOW | 1 customer · DOB visible in confirmation email | email template bug | not required | closed · 4 Mar |
72hr DPB notification runbook
Trigger: Breach detected → severity ≥ MEDIUM
SLA: Notify DPB (Data Protection Board) within 72 hours of becoming aware · CERT-In within 6 hours
SLA: Notify DPB (Data Protection Board) within 72 hours of becoming aware · CERT-In within 6 hours
- Detect & contain (T+0 to T+1hr) — isolate affected systems · stop bleeding
- Triage (T+1 to T+6hr) — classify severity, count affected, identify root cause
- CERT-In notify (T+6hr) — file at cert-in.org.in/incident-report · template auto-filled from breach data
- Stakeholder brief (T+12hr) — DPO, CISO, Legal, CEO informed
- DPB notify (T+72hr max) — file at dpb.gov.in/breach-notify · include scope, cause, mitigation, customer impact
- Customer notify (T+72hr max) — affected customers emailed · masked PII via DSAR channel
- Mitigation (T+30d) — root cause fix, vendor remediation, audit trail update
- Post-mortem (T+45d) — RCA published internally, controls updated, drill scheduled
Auto-detect monitors
| Monitor | Threshold | Last triggered | Status |
|---|---|---|---|
| Unusual bulk data export (>10K rows / hr) | 10K rows | — | armed |
| API key compromise (anomalous geo) | request from non-IN region | 22 Aug 2025 | armed |
| S3 bucket public-read enabled | any bucket toggles public | 14 Jun 2025 | armed |
| Failed login burst (single user, >20 attempts) | 20 / hour | — | armed |
| DB query returning PII without WHERE clause | full-table scan + PII columns | — | armed |
| Vendor API 5xx burst (potential SQLi) | 50 errors / min | 22 Aug 2025 | armed |
| Audit chain hash mismatch | any Merkle break | — | armed |
| Cross-border data transfer to non-whitelisted region | any non-IN destination | — | armed |
Drill schedule · tabletop exercises
| Date | Scenario | Participants | Outcome |
|---|---|---|---|
| 30 Apr 2026 | Vendor compromise (Karza) · 5,000 customer records | DPO, CISO, Legal, Eng, CEO | passed · DPB form filed in 18hr (sim) |
| 30 Jan 2026 | Insider exfiltration · 200 customer selfies | HR, Legal, DPO, CISO | passed · 31hr to notify (sim) |
| 30 Oct 2025 | Ransomware on KYC DB | Eng, CISO, DPO, Legal | gap · backup restore took 8hr (target 4hr) |
| 30 Jun 2026 (next) | UPI vendor outage + PII spill | scheduled | upcoming |