India’s insurance industry came under intense cybersecurity pressure in FY 25, experiencing its highest-ever volume of cyberattacks. Leading insurers like Star Health & Allied Insurance, Niva Bupa, HDFC Life, Tata AIG, and LIC reported major breaches, exposing sensitive personal and medical data of millions.
The most severe incident occurred in August 2024, when Star Health suffered a massive breach affecting 31 million policyholders. Hackers obtained Aadhaar numbers, PAN details, medical reports, and contact information, later offering the data on Telegram and dark web platforms for just USD 43,000—an alarming indicator of cybercrime’s scale relative to potential fallout. Subsequent threats even extended to the company’s CEO and CFO.
In February 2025, Niva Bupa, with nearly 20 million lives insured, faced a breach where threat actors claimed access to customer records, though only samples were shared publicly. The insurer responded by initiating digital safeguards and engaging cybersecurity auditors. Earlier, in November 2024, HDFC Life detected unauthorized disclosure of customer data, prompting internal audits. Tata AIG confirmed a late‑2024 data leak and was ordered by IRDAI to conduct a comprehensive IT systems audit. Meanwhile, LIC came under social media scrutiny in January 2025 after OTP processes were found absent for online insurance form submissions — raising phishing risks.
Beyond insurer-specific incidents, December 2024 saw a software vendor breach affecting data from multiple insurers—highlighting vulnerabilities in third-party ecosystems.
Industry experts attribute the surge to outdated IT systems, weak encryption, and increased digital footprints from rapid tech adoption. While IRDAI mandated IT audits, risk assessments, and employee training, critics argue these measures remain reactive, lacking a national data protection standard. The cost of disruption also soared—estimated at USD 900,000 per day in outages, critical given the exposure of Aadhaar, PAN, and health records, which carry long‑term identity theft and fraud risks.
Stakeholders must act:
Insurers: must upgrade cyber defenses, enforce encryption, conduct frequent risk audits, and enhance third-party vendor oversight.
Regulators: should establish binding cybersecurity standards, streamline breach notification protocols, and enforce penalties.
Policyholders: are encouraged to exercise vigilance—monitor statements, activate multi-factor authentication, and inquire about insurer data protection measures.