Data breach cost India: what a mid-size firm actually pays
A data breach cost India numbers cluster between approx Rs.14 crore and Rs.27 crore for a typical 200-500 person company once you add up regulator fines, breach response, lost business, and the eighteen months of client trust you cannot rebuild on a press release. IBM’s 2024 Cost of a Data Breach report puts the India average at approx $2.18 million (approx Rs.18 crore), and that is before DPDP Act fines start landing in May 2027. The cheap version of this story is the headline. The expensive version is the one your CFO does not see for the first six months.
Most CISOs at mid-size Indian firms still treat data breach cost India as a CapEx line item, buy a DLP tool, buy a SIEM, done. That frame breaks the moment a real incident lands. A breach is not a tool failure. It is a cascade of small failures across endpoints, employees, contracts, and audit trails, and the bill arrives in seven different envelopes over eighteen months.
What gets counted in data breach cost India
Six things show up on the eventual invoice. Forensics, regulator fines, breach notification, customer remediation, business loss, and reputational repair. Skip any of these in your modelling and the projection looks rosier than reality.
Forensics is the first cost in the door. A mid-size breach forensics engagement in India runs approx Rs.40 to 90 lakh, depending on whether you have logs ready. Most do not. The forensics team is paid by the hour to reconstruct what happened, what data left, and which systems are still compromised. If your endpoint logs are 30 days old or your network captures expired, that bill doubles.
Regulator fines come second. Under DPDP Act 2023, the penalty cap is Rs.250 crore per violation, and the Data Protection Board can impose multiple counts in a single decision. Mid-size companies typically land in the approx Rs.50 lakh to Rs.5 crore zone for non-malicious lapses, going higher when wilful negligence is found. IT Act 2000 Section 43A is still in play for civil damages until DPDP fully kicks in. Sectoral regulators add their own cuts: IRDAI on insurance, RBI on financial services, SEBI on listed entities. A logistics company we audited last year paid three separate fines for the same incident (DPDP precursor, IT Act, and IRDAI), adding up to approx Rs.3.4 crore on a Rs.40-lakh-impact breach.
Breach notification and customer remediation are next. DPDP mandates direct notification to every Data Principal whose data was affected, plus the Data Protection Board, within a tight window. For approx 50,000 affected records the notification cost (postage, email, call-centre staffing for the inevitable wave of inquiries, credit-monitoring for any financial data exposure) can clear approx Rs.1.2 to 2.5 crore. Add legal-letter mailings to enterprise customers and the SLA-credit clauses they will demand, and the number climbs.
Business loss is the cost nobody puts in the slide because nobody trusts the number. It is real anyway. EY’s 2024 India Cyber Insurance Trends report (EY India report) puts post-breach revenue impact at approx 8 to 12% over the next twelve months for mid-size firms, which is approx Rs.4 to 12 crore on a Rs.50-crore-revenue company. Customers go quiet. Renewals slow down. Sales cycles lengthen because every prospect’s procurement team now wants three new security questionnaires.
Reputational repair is the last category and the slowest to recover. Brand audits, PR retainer, replacement of leadership where needed, additional sales investment to refill the pipeline. A pharma company in the western corridor we work with budgets approx Rs.2.4 crore over eighteen months for this category, and treats it as the cost of buying back the relationships their compliance lapse cost them.
A real numbers example: 200-person Mumbai company
A 200-person services firm with approx Rs.50 crore revenue gets hit by a phishing-led credential theft. Approx 38,000 customer records leak, names, emails, partial financial data. Standard mid-size breach. Here is the eighteen-month bill, conservatively modelled.
| Line item | Range | Conservative figure |
|---|---|---|
| Forensics + IR | approx Rs.40-90 lakh | approx Rs.65 lakh |
| DPDP fine (non-wilful) | approx Rs.0.5-5 crore | approx Rs.2 crore |
| Sectoral regulator fines | approx Rs.0-3 crore | approx Rs.50 lakh |
| Breach notification + 12-month credit monitoring | approx Rs.1.2-2.5 crore | approx Rs.1.7 crore |
| Customer remediation + SLA credits | approx Rs.50 lakh-3 crore | approx Rs.1.4 crore |
| Revenue loss (8-12% of ARR over 12 months) | approx Rs.4-6 crore | approx Rs.5 crore |
| Reputational repair (brand, PR, sales spend) | approx Rs.1-3 crore | approx Rs.2 crore |
| Legal counsel + class-action defence | approx Rs.40 lakh-1.2 crore | approx Rs.80 lakh |
| Cyber insurance deductible + premium hike | approx Rs.30-90 lakh | approx Rs.55 lakh |
| Eighteen-month total | approx Rs.8.4-32 crore | approx Rs.14.6 crore |
This is the conservative version. The aggressive version, where the breach turns out to be wilful negligence (no MDM, no DLP, no audit trail), pushes total liability past approx Rs.30 crore once DPDP loads up multiple violation counts. We have seen the math on a logistics company hit early in 2025. The working number their CFO presented to the board was approx Rs.27 crore. It is still settling.
The number to remember is not Rs.14.6 crore or Rs.27 crore. It is the multiple. A Rs.50-lakh-impact breach (the value of stolen data) ends up costing approx 30x to 50x that figure across the cost categories above. That is the math nobody plans for, because the impact line and the cost line are not the same thing.
DPDP Act and the new fine regime
DPDP Act 2023 fully takes effect by May 2027. Until then, IT Act Section 43A is the active civil framework, and the Data Protection Board is conducting practice enforcement on early cases. Three things change once DPDP fully lands.
Direct civil penalty up to Rs.250 crore per violation. The cap is high, the typical mid-size penalty will land much lower, but the cap matters for board-level risk modelling. The Board has discretion to apply the cap in cases of repeated or wilful failure.
Multiple-count exposure. One incident can constitute multiple violations under DPDP: failure to obtain consent, failure to notify, failure to maintain reasonable security, failure to appoint a DPO. Mid-size companies that have a single breach can be hit with three or four separate approx Rs.50 lakh fines that compound.
Personal liability for directors. Where wilful breach is established, individuals, including the CEO and DPO, can be held personally liable. This shifts the cost of a breach from the corporate balance sheet to the leadership team’s personal exposure, which most boards have not internalised yet. Our DPDP Act penalties guide walks through the calculation framework in detail, including which factors increase or decrease the per-violation penalty.
The hidden costs your CFO will not put in the slide
Three categories that never make it into the breach-cost spreadsheet but always show up in the eighteen-month cash flow.
The first is internal overtime. The IT, security, and legal teams will spend approx 60-90 days running the response. That is approx 800 person-days of senior time that would otherwise be on revenue projects. At loaded cost, you are looking at approx Rs.40-70 lakh in opportunity cost the line manager will absorb without anyone modelling it.
The second is enterprise customer churn. The mid-size companies that do business with you have their own DPDP exposure now. After your breach, your status as their data processor becomes a board-reported risk. Not all will leave. Some will. Approx 10-15% of the affected enterprise customer base typically does not renew, often without telling you the reason. We have audited companies six months post-breach where the sales team thought they were closing renewals normally, until the renewal data came back showing a quiet approx Rs.8 crore drop in commitment volume.
The third is insurance. Cyber insurance premiums after a breach jump approx 40-90%, and your deductible structure is restructured upward. If you did not have coverage at all, getting it after the fact costs nearly twice what a clean policy costs. EY’s 2024 cyber insurance trends report flags this as the single most under-priced line item in India breach budgets.
The good news is most of this is preventable. The cost of preventing a breach for a 200-person mid-size firm, with proper employee data theft monitoring plus DLP plus device management plus consent infrastructure, comes in at approx Rs.40-80 lakh annually. That is one to two percent of the breach cost it stops, and most of it pays back in operational efficiencies anyway. The math on this trade is not subtle.
What to do this quarter if you have not started
Three moves matter more than the rest. First, run an honest data inventory. You cannot protect data you have not located. Most mid-size companies have customer data in approx five to nine systems they did not document. Second, deploy endpoint DLP on devices that handle customer data. Approx 60% of breaches start at the endpoint, and endpoint DLP catches the silly ones: people emailing client lists to personal accounts, USB exfiltration, screenshots into WhatsApp. Third, write the breach response playbook before you need it. The single biggest predictor of breach cost in our audit work is whether the company had a written response plan. Companies with one spend approx 50-70% less on forensics. The plan does not have to be perfect, it has to exist.
Sirius Star Secure Data Guard covers the inventory, the endpoint DLP, the consent infrastructure, and the breach playbook in one stack. The DPDP-readiness audit is a free 70/30 starting point. We are not selling tools. We are selling the math your CFO needs before the breach, not after.
Buying 50+ devices for the rollout? Ask about Device-as-a-Service when you book the audit.
Book a free DPDP readiness check on WhatsApp
200+ businesses trust us. Response within 4 hours.
Priya’s Take
Two of the three breaches I have audited in the last twelve months were not technical failures. They were paperwork failures, no consent records, no data inventory, no breach playbook, that became technical incidents because the company had no systems for the controls DPDP requires. Companies that treat data breach cost as a tool problem solve it wrong. Treat it as a control-system problem and the budget conversation becomes much easier to win at the board.
FAQ
Q: What is the average data breach cost India for a mid-size company? A: A typical mid-size data breach cost India works out to approx Rs.14 to 27 crore over eighteen months, including DPDP fines, breach response, customer remediation, lost business, and reputational repair. IBM’s 2024 India report puts the average at approx Rs.18 crore. The single biggest variable is whether the breach is judged wilful, which can push total liability past approx Rs.30 crore.
Q: How is DPDP changing breach costs? A: DPDP Act 2023 introduces civil penalties up to Rs.250 crore per violation and multiple-count exposure on a single incident. Mid-size firms will typically see approx Rs.50 lakh to Rs.5 crore per violation. The bigger shift is personal liability for directors in wilful cases. Full effect by May 2027.
Q: Does cyber insurance cover the full breach cost? A: Cyber insurance covers approx 40-60% of the cost categories above, mostly forensics and breach notification. It does not cover regulator fines (DPDP, IT Act), reputational repair, or the medium-term revenue loss. After a breach, premiums also rise approx 40-90% on renewal.
Q: What is the cheapest way to lower breach exposure? A: Run a data inventory, deploy endpoint DLP, write a breach response playbook. For a 200-person company that costs approx Rs.40-80 lakh annually, less than two percent of typical breach cost. The single biggest cost reducer is having a written response plan, since companies with one spend approx 50-70% less on forensics.
About the author
Priya Sharma leads the Compliance practice at Sirius Star Enterprise Technologies, focused on DPDP Act readiness, data inventories, and DLP design for Indian mid-size firms. She has audited approx 60 breach response programmes across BFSI, pharma, and logistics, and writes the team’s quarterly view on regulator action under the new framework.
