5 real data theft scenarios your HR team should be worried about
Last November a senior recruiter resigned from a 280-person Pune fintech NBFC. He carried five years of candidate emails, offer letters, and a CSV of every notice-period employee on his way out. The HR head only realised the gap three months later when a competitor started cold-calling her people with eerily accurate compensation numbers. By then the data had moved twice and her audit trail was empty.
That is not unusual. Across approx 60 percent of the HR exits we have audited for Indian mid-size companies, at least one of these five data theft scenarios was sitting in the file logs. Most HR heads never see them because the leak channel runs through systems HR owns. IT is not watching because HR systems are not on the standard endpoint policy. And the recruiter, payroll exec, or HR business partner who walks the data out is rarely caught because the action looks like work.
This post walks through the five data theft scenarios most Indian HR teams miss, the DPDP angle for each, what they cost when they go wrong, and a 14-day fix you can start tomorrow morning even if HR and IT don’t talk to each other today.
The DPDP angle nobody tells HR
HR data is personal data. The DPDP Act 2023 makes no distinction between customer data and employee data when it comes to data fiduciary duty. Salary slips, offer letters, biometric attendance, group medical claim lists, performance reviews, PF/UAN numbers, address proofs, family member details on insurance forms: all of it is personal data of identifiable individuals. The company is the data fiduciary. The penalty for failure to safeguard is up to ₹250 Crore per significant violation, per Section 8(5) of the DPDP Act 2023.
The cap is theoretical for most companies. The realistic risk is approx ₹1.5 to 9 Crore in advisory and remediation costs after a notice, plus the wrongful-termination suits that follow when leaked performance reviews show up in a labour court. India’s average breach cost in 2024 was ₹19.5 Crore per IBM’s annual report. The number people think of when they say “data breach” is usually customer data. The number that has been climbing fastest in BFSI advisory work is HR data.
Megha runs HR at the 280-person Pune NBFC I mentioned. Last November her senior recruiter left and she could not say whether five years of candidate emails went with him. That uncertainty is the gap this post is for.
Scenario 1: The recruiter exit
The most common HR-side data theft. The recruiter has been auto-forwarding every offer letter, every candidate’s resume, and every internal compensation grid to a personal Gmail account for “backup.” On the day she resigns, the auto-forward rule is the only thing in her HR mailbox she does not delete. She doesn’t need to copy anything onto a USB. The data has been leaving for years, one offer letter at a time.
What it costs when it shows up: a senior recruiter from a competitor calls your top 30 performers with their exact in-hand CTC. Two of them resign. You lose approx ₹40 to 70 Lakh in replacement cost, plus the productivity hit. If the recruiter goes on to set up her own shop, your candidate database becomes her starting customer list. Six months later your hiring TAT has doubled and you don’t know why.
The DLP fix is simple but only works if you actually deploy it: block auto-forward rules from corporate mailboxes to personal domains by policy at the Microsoft 365 or Google Workspace tenant level. It takes 20 minutes to configure. Most Indian HR teams have never asked their IT head to turn it on because the conversation has never come up.
Scenario 2: The salary slip side-business
A payroll executive keeps the monthly salary slip CSV on her laptop “to answer queries faster.” She also runs a quiet tax consultancy on the side for 30 of your employees. Their PAN, salary breakup, and HRA structure live on her personal laptop, her personal email, and recieve a quarterly update from her every March. The employees know. They like the convenience. Nobody told you.
The DPDP exposure here is direct. You are the data fiduciary for those 30 employees. The payroll executive is processing their personal data without lawful basis outside your boundary. If one of those employees ever disputes a tax filing in court, the chain of custody on their salary data leaves your firm holding the bag. The penalty is the same Section 8(5) cap; the real cost is the reputational drag when 30 employees realise their CTC was on someone’s home laptop.
This is the scenario most companies discover during a routine endpoint scan. The CSV is sitting in a “Personal” folder, sometimes named “Office tax help.” Once you find one, you find three.
Scenario 3: The performance review leak
An HR business partner takes appraisal cycle PDFs home on her personal laptop in March because the office network is slow and she wants to finish the moderation calibration over the weekend. The PDFs include the 360-degree feedback, the development notes, and the comp recommendation deltas for approx 80 employees. Six months later one of those employees is terminated for performance. He files a wrongful-dismissal suit. His lawyer somehow has the verbatim 360-feedback PDF, including the line where his manager called him “not promotable for two more years.” Discovery confirms the PDF left the HR network from the business partner’s home Wi-Fi on 12 March.
The cost: an out-of-court settlement in the ₹8 to 22 Lakh band, plus the labour-court time, plus the chilling effect on every manager who now writes deliberately vague reviews because she does not trust her own HR partner. This pattern accounts for theek hai about 18 percent of the wrongful-termination matters we have reviewed in advisory work over the last two years, and the trend is up.
What stops it: a clear HR policy that says appraisal documents do not leave the HRIS, period. Enforced through Secure Data Guard or any DLP that watches the document classes you tag. Not enforced through trust.
Scenario 4: The medical and insurance trail
Your group medical insurance broker asks every six months for an updated employee list with date of birth, gender, dependents, and pre-existing condition flags so he can re-rate the premium. Your HR ops sends him a CSV over WhatsApp because email rejected the attachment size. The broker sits in his small office in Andheri and the CSV is now on his laptop, his phone, and his personal cloud drive that he last logged into in 2021. He shares the file with the underwriter at the insurer over their shared Google Drive. There are now four copies of your employees’ medical data outside your boundary.
The DPDP angle is unambiguous. Health data is sensitive personal data. The broker is your data processor by definition. You are the data fiduciary. If the broker is breached, and small Mumbai broker offices get breached more often than the press reports, every one of your employees can serve you a notice. Practically, the discovery moment is when one employee asks why his diabetes is showing up on a third-party insurer’s renewal call.
The fix is harder than the others because the broker is a real workflow dependency. The right answer is a data processing agreement plus a secure-transfer mechanism: a portal, not WhatsApp. Most brokers will agree because they have heard the DPDP word too. The conversation has not happened in your office because HR has not asked.
Scenario 5: The departing HR Director
The hardest data theft scenario, and the most expensive. Your HR Director resigns to join a competitor. On her last day she copies the full employee master database, all org charts, all comp tiers, all open positions, all upcoming review notes, and a folder she has been quietly maintaining called “Retention risk.” She tells the IT helpdesk it is “her personal documents.” The IT helpdesk does not have a policy that distinguishes personal documents from employee data when the person carrying them out is the HR Director. The USB walks out at 6:40 pm on a Friday.
Three months later your competitor poaches eleven of your people in a sequenced way that maps perfectly to that retention-risk folder. You lose approx ₹2 to 3 Crore in replacement cost plus the strategic damage. The HR Director’s non-compete is unenforceable in most Indian states. Your legal recourse on the data theft alone is theoretical because you cannot prove the data left.
What you can do: insist on the same exit protocol for HR leadership that you insist on for engineering and finance leadership. Device imaging on the last day. Mailbox review for the previous 90 days. Access logs pulled for every HRIS module. This is unpopular because it implies suspicion of a person who has just spent five years building your culture. It is also the only thing that closes the gap.
The 14-day data theft scenarios fix for HR
Megha is using this exact 14-day plan at the Pune NBFC. The first version felt overengineered. The version below is what survived contact with reality.
Days 1 to 3. Sit with your IT head for one hour. Ask him to turn on three things: block auto-forward rules from corporate mailboxes to personal domains; flag any HR mailbox sending more than 50 MB of attachments outward in a single week; alert on any login to HR systems from outside the office IP range on weekends. Twenty minutes of policy work, two days of testing, day three deployed.
Days 4 to 7. Run an endpoint scan on every HR laptop for CSV files containing the strings “salary,” “CTC,” “appraisal,” or “medical.” This is the discovery moment. You will find at least one. Have a quiet conversation with the owner. Pull the file. Document the chain of custody. This is paisa-vasool work because the cost is low and the surface area you cover is high.
Days 8 to 10. Write a one-page HR data handling policy. The template you need is not 14 pages. It is: this data is personal data under DPDP; here is the list of HR systems it lives in; here is what you can copy out and what you cannot; here is the consequence if you do. One page. Email it to every HR team member. Have each one reply “read and acknowledged.”
Days 11 to 12. Audit your data processor relationships. List every external party that touches HR data. Group medical broker, payroll outsourcer, background check agency, learning vendor, insurance underwriter. Each one needs a data processing agreement with three clauses: scope of data, retention period, breach notification within 72 hours. We have a template; reply BROKER on WhatsApp if you want it.
Days 13 to 14. Build the leadership-exit playbook. Mailbox forensic review on the last day. USB block by default. Access logs pulled. Document classification on every HRIS module so the system itself flags an unusual download. This is the part you cannot improvise. By the way, did you know there is a one-page leadership exit checklist sitting in the appendix of our DPDP readiness check? It is the same one Megha is rolling out at the NBFC.
That is the 14-day fix. It is not perfect. The five data theft scenarios will not disappear. The probability of being the next case study drops by what we observe to be approx 70 to 80 percent because the easy exits stop being easy.
What this means for your DLM contract
If you are also running 50 plus laptops, the HR endpoint scan is the same scan you should be running on every device anyway. Buying 50 plus devices? Ask Sirius Star about Device-as-a-Service. The same fleet contract that ships laptops also imaging-locks them, monitors data movement at the endpoint, and gives you the audit trail you need when HR has to answer a regulator notice three years from now. Most Indian companies treat DLP and device management as two different procurement decisions. We treat them as one fleet contract with one set of evidence logs.
FAQ
Is HR data covered under the DPDP Act 2023? Yes. The DPDP Act treats all personal data of identifiable individuals as in scope, with no separate carve-out for employee data. Salary slips, offer letters, biometric attendance, performance reviews, and group medical claim lists are all personal data of identifiable individuals. The company is the data fiduciary. The penalty cap is ₹250 Crore per significant violation under Section 8(5).
How do most HR data theft scenarios actually start? The most common starting point is an auto-forward rule from a corporate HR mailbox to a personal Gmail or Outlook account, set up “for backup” and never reviewed. The second most common is a CSV download saved to a personal folder on a work laptop. Neither action looks like theft until the person leaves.
Should HR run its own data theft monitoring or hand it to IT? HR should own the policy. IT should own the monitoring. The handoff is the part most Indian companies get wrong: HR writes a policy and assumes IT will enforce it, or IT deploys a tool and assumes HR will know what data to protect. Both teams need to sit in one meeting once a quarter and review the alerts list together.
What is a realistic DLP project budget for a 200 to 500-person Indian company? Allow approx ₹4 to 18 Lakh annually for a Secure Data Guard or equivalent endpoint DLP deployment, depending on device count and feature tier. The discovery scan in days 4 to 7 of the 14-day plan typically pays for the year-one license inside the first eight weeks because the things you find are the things that would have cost you 20x to clean up after the fact.
Can we do this without disrupting our HRIS workflow? Yes. The five data theft scenarios in this post involve data movement out of HR systems, not data flow inside them. Policy and DLP enforcement happens at the egress layer: mailbox auto-forwards, endpoint copies, external file transfers. The HRIS keeps working exactly as it did. Your recruiter still gets her dashboard. Your payroll exec still runs the monthly cycle. The only thing that changes is the data leaving without a reason.
Priya’s take
I have sat through approximately fifteen HR scoping conversations in the last six months and not one of them started with “we think HR is the leak.” They all started with “we just want to be DPDP-ready before May 2027.” Somewhere in hour two, the HR head mentions one of the five data theft scenarios above as an aside. That aside is the conversation we actually need to have.
HR is not the leak because HR is careless. HR is the leak because HR was never told to look.
Sudeep raised this at our Monday review last quarter when we were scoping a 400-person BKC asset manager. His exact pushback was: “If the HR data is the most regulated data the company holds, why does it have the loosest controls?” Nobody had a clean answer. The asset manager rolled out the 14-day plan in March. Their HR Director left two weeks ago. The exit was clean because the protocol was already there. Theek hai, that is the win the playbook is for.
The part nobody says out loud, bhai: most HR Heads I meet are not afraid of the regulator. They are afraid of the conversation with their CEO when the leak shows up. The fix is paisa-vasool because it removes that fear before the conversation has to happen.
By the way
By the way, did you know we keep a one-page “HR Exit Data Audit” checklist that maps each of the five scenarios above to the specific log file your IT team should pull on the last day? Megha printed three copies and put one in her drawer. Reply HRSCRIPT on WhatsApp and we will send it. It includes the mailbox forensic query, the endpoint scan command, and the HRIS access-log filter. Those three things, between them, close approx 80 percent of the exit-data gap.
What to do next
Free DPDP readiness check for your HR systems. 200 plus businesses trust Sirius Star with their DPDP compliance posture. Response within 4 hours, IST business days. If our 60-minute scoping conversation does not surface at least three concrete data theft scenarios specific to your HR workflow, the scoping is free.
Talk to Sirius Star on WhatsApp about HR data theft scenarios
Free DPDP readiness check: 10 questions, 12 minutes, scored across the same five scenarios above. The HR-Exit Data Audit one-pager is the lead magnet attached to the result.
Or read the deeper sibling piece on how employees steal company data and the Secure Data Guard product page if you want the full DLP stack overview.
P.S.
P.S. The “HR Exit Data Audit Checklist” is a one-page PDF we built for Megha’s 14-day rollout at the NBFC. Reply HRSCRIPT on WhatsApp and we will send it. It includes the mailbox forensic query for the last 90 days, the endpoint scan command set, and the HRIS access-log filter. Between them, those three checks surface the five data theft scenarios from this post inside a single afternoon.
—
