The hours after you discover a breach are the ones that matter most — for containment, for evidence, and for staying on the right side of Indian law. Two clocks start ticking immediately: CERT-In requires notification within 6 hours, and the DPDP Act, 2023 requires you to inform the Data Protection Board and every affected individual. This is a practical, step-by-step playbook for responding to a data breach in India — what to do first, who to notify and when, and how to come out of it stronger.
If you’re dealing with a live incident right now, skip to the checklist and get incident-response support in parallel — the two run together.
First, know the two deadlines
| Obligation | Who | Deadline |
|---|---|---|
| CERT-In cyber-incident report | Service providers, intermediaries, data centres & body corporates | Within 6 hours of noticing the incident (Directions, 28 Apr 2022) |
| DPDP Act breach notification | Data Fiduciaries (organisations processing personal data) | Notify the Data Protection Board and each affected individual — confirm current timelines under the DPDP Rules |
Missing the CERT-In window or failing to notify under DPDPA can compound the damage — the DPDP Act sets penalties up to ₹250 crore for failing to take reasonable security safeguards. Speed and documentation are everything.
The first hour: contain and preserve
1. Don’t panic — and don’t destroy evidence
The instinct to wipe and rebuild a compromised server is understandable and wrong. Pulling systems offline the wrong way can erase the forensic trail you’ll need for CERT-In reporting, insurance, and stopping re-entry. Isolate, don’t obliterate.
2. Contain the spread
Disconnect affected hosts from the network (but keep them powered where possible for memory forensics), disable compromised accounts, rotate exposed credentials and API keys, and block the attacker’s known infrastructure. If you have managed detection and response (MDR) or a SOC, this is what they’re built for.
3. Preserve forensic evidence
Capture volatile data (RAM), disk images, and relevant logs before anything changes. This is where professional digital forensics and incident response (DFIR) matters — a defensible chain of custody protects you legally and helps malware analysis identify how the attacker got in.
The first 6 hours: report to CERT-In
Within six hours of becoming aware, report the incident to CERT-In. You don’t need every detail up front — provide what you have and follow up. A typical report covers: the type of incident (ransomware, data breach, unauthorised access), affected systems, the time of detection, and your initial response. Assign one owner for CERT-In communication so nothing falls through the cracks.
Notify under the DPDP Act
If personal data was affected, DPDPA obligations kick in. As a Data Fiduciary you must notify the Data Protection Board of India and the affected Data Principals (the individuals whose data was exposed). Your notification should describe the breach, the likely consequences, and the steps you’re taking — written in plain language people can act on. Having your DPDPA compliance groundwork done in advance makes this fast instead of frantic.
Investigate, eradicate, recover
- Root-cause analysis: how did they get in — phishing, an unpatched vulnerability, exposed credentials? For ransomware, determine the strain, entry vector and whether data was exfiltrated.
- Eradicate: remove the attacker’s foothold entirely — backdoors, persistence mechanisms, rogue accounts. Re-imaging a box isn’t enough if the entry vector is still open.
- Recover: restore from clean backups, reset all potentially exposed secrets, and monitor closely for re-entry — attackers often come back.
After the incident: turn it into resilience
A breach is a brutal but useful audit. Feed the findings back into your defences: fix the vulnerability that let them in (validate with a VAPT), tighten access controls, improve logging and monitoring, and run the incident as a tabletop exercise so your team responds faster next time. Organisations that treat the post-incident review seriously rarely get hit the same way twice.
Data-breach response checklist
- □ Isolate affected systems (don’t wipe)
- □ Preserve RAM, disk images and logs
- □ Rotate exposed credentials, keys and tokens
- □ Report to CERT-In within 6 hours
- □ Notify the Data Protection Board and affected individuals (DPDPA)
- □ Engage DFIR for root-cause and chain of custody
- □ Eradicate persistence; restore from clean backups
- □ Run a post-incident review & fix the root cause
Frequently asked questions
How quickly must I report a cyber incident in India?
CERT-In requires notification within six hours of noticing the incident. If personal data is involved, DPDP Act notification to the Board and affected individuals also applies.
Should I pay a ransomware demand?
Authorities generally advise against paying — it funds crime and doesn’t guarantee recovery. Focus on containment, clean backups and professional ransomware investigation. Decide with legal and IR advisors, not in a panic.
Do I need external help, or can my IT team handle it?
Internal IT can contain the obvious, but breaches need forensic rigour and legally-defensible evidence handling. Specialist DFIR reduces mistakes that make things worse — and speeds up your CERT-In and DPDPA obligations.
What if I’m not sure personal data was affected?
Treat it as if it was until forensics proves otherwise, and keep the Board notification ready. Under-reporting a personal-data breach carries more risk than a cautious, well-documented response.
Facing a breach? Get expert help fast
Selkey Cyber Security provides rapid incident response and digital forensics for organisations across India — containment, root-cause analysis, evidence preservation, and support meeting your CERT-In and DPDP Act obligations. Our team holds credentials including OSCP, CEH Master and CPENT.
See our data-breach response service or contact our incident-response team →
This article is general guidance, not legal advice. Confirm your specific reporting obligations against the current CERT-In Directions and the DPDP Act and Rules, or with qualified counsel.