In this week’s round-up of information security events, we examine a data breach in India and the activities of data regulators around the globe. Four major Indian insurance companies have been affected by a data breach from a software company. There have been several incidents involving insurance companies in recent times. The Singapore data regulator reported about a 200% increase in enforcement actions in 2024. The Kenyan Data Commissioner fined several digital lenders for violations of data rights. Thailand enacted new amendments for cybersecurity–stricter penalties for data abuse.

Disturbing news came from India, where a major data breach happened. Criminals have infiltrated an Indian software company and leaked a massive amount of sensitive records. HDFC Ergo, ICICI Lombard, and Bajaj Allianz, major insurance companies, have been affected by this incident. Preliminary, the criminals have exfiltrated approximately 1.59 million lines of sensitive information.

According to the available information, malicious actors exposed records, including:

• Policyholder information
• Email IDs
• Mobile numbers
• Administrative credentials.

The compromised data can be used by criminals for further criminal activities, including identity theft and phishing campaigns. Moreover, the stolen SQL database includes internal system commands, which can be used for further exploitation.

The breach follows previous security incidents involving other Indian insurance companies like Star Health Insurance and Niva Bupa. For instance, the Star Health Insurance data leak affected almost 31 million of the company's customers. The average cost of a data breach in India grew to an all-time high of $2.3 million in 2024.

The Insurance Regulatory and Development Authority of India reacted to the recent incidents and proposed a set of measures to ensure information security. The regulator recommended that all insurers appoint a third-party forensic audit. Moreover, it also forced insurance companies to conduct holistic IT system audits following the last attacks.

Also, data regulators around the world have been taking actions to ensure regulatory compliance. For example, the Singapore Personal Data Protection Commission published a report on the data breach landscape for 2023-24. Among the key trends the regulator highlighted were the following:

• Data breaches are on the rise. There has been a 41% rise in large-scale breaches reported to the PDPC in a year. A breach is considered large-scale if it involves more than 500 people.
• Cyber incidents are the main cause of breaches. These account for 82% of instances where the PDPC has taken enforcement action against organizations that failed to protect their data because of weak security measures.
• More organizations are found to be in violation of the Personal Data Protection Act (PDPA). There has been a 200% increase in PDPC enforcement actions against organizations, with some facing financial consequences such as a fine of up to 10% of their annual turnover or SGD 1 million, whichever is higher.

The Kenyan Office of the Data Protection Commissioner continues the same trend. In the first quarter of 2025, it set out several legal rulings against mobile lenders Whitepath, Platinum Credit, and Rocketpesa for violations of the Data Protection Act 2019. These companies have been fined a total of KES 3,150,000 (about $24,000) in six separate cases. Digital lenders have been fined for abusing personal information collected from their debtors and illegally contacting relatives and friends with messages regarding repayments.

According to the details of the rulings, the financial institutions made several violations of the Data Protection Act 2019. Firstly, lenders unlawfully collected phone numbers by accessing their customers’ phone books and didn’t inform them that personal data was being collected. Secondly, respondents failed to notify data owners about the purpose of the collected data's use. It is a violation of the right to be informed.

The Office of the Data Protection Commissioner issued enforcement notices to stop unlawful contacts and ordered the payment of fines in all complaints. The regulator demonstrated that businesses have to comply with legislation. Such a chain of legal cases is a clear reminder of the necessity of regulatory compliance.

Thailand follows the same vector of fighting cybercrimes and ensuring robust data protection. On the 12th of April, major amendments were published in the Royal Gazette. The updated Royal Decree on Measures for the Prevention and Suppression of Technology Crimes (No. 2) B.E. 2568 is aimed at bolstering the legal framework against information threats. Among other changes, the law introduces much stricter punishments for violations of data protection. New provisions are effective from the 13th of April.

From now on, violators of data protection will face up to one year in prison and a fine of up to 100,000 baht (about $3,000) for data sharing without permission. Individuals involved in buying or selling sensitive data will face stricter punishments—a fine of up to 500,000 baht (about $15,000) and imprisonment of up to five years. New provisions of the law also protect the personal data of deceased individuals with legal prosecution.

Officials emphasized that the new decree reinforces the existing Personal Data Protection Act.

Regulatory compliance is one of the major challenges for businesses and governmental organizations. Violators of legal demands face not only increased risks of becoming a victim of an incident but also prospects of legal fines and legal claims. Nowadays, compliance with legal demands is the cornerstone of stability and development.

A few countries have yet to implement the major regulations in the sphere of information protection. If you want to dive deeper into the regulatory agenda, visit our website and learn more about how to ensure compliance with the General Data Protection Regulation (GDPR), the Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework, the Personal Data Protection Bill (PDPB), the Saudi Personal Data Protection Law, UAE regulations, and other legal acts.