USHA Ransomware Breach: DPDP Lessons for Indian Manufacturers on SAP and Employee Data Risk

TL;DR

The USHA International ransomware listing shows how a single SAP breach can freeze operations and expose employee data in one stroke. Under India’s DPDP Act and Rules 2025, such incidents are no longer “IT problems” but governance failures that can trigger penalties up to ₹250 crore and mandatory breach notifications. This blog explains what went wrong, why SAP‑centred architectures magnify risk, and the six concrete steps Indian manufacturers must take now—tightened access, secure backups, MFA, continuous awareness, DPDP‑aligned incident response, and board‑level oversight.

The morning shift began the way it always did. 

A manager sat down with a coffee, opened their laptop, and clicked the SAP icon to pull up the day’s procurement logs and employee rosters. Only, the dashboard didn’t load. Instead, the screen froze, and a plain text file appeared. Within minutes, the internal phones started ringing. IT couldn’t access the payroll data. The vendor contracts were suddenly encrypted. 

The digital heartbeat of the plant had stopped.

It didn’t start with a sophisticated cyber-warfare tactic. It started with a dormant vendor account that no one remembered to deactivate, and a tired employee clicking a link the night before.

For decades, securing an Indian manufacturing plant meant high walls, biometric turnstiles, and fire safety drills. You could see the risks. You could physically lock the gates. But today, the most critical breaches happen silently, inside the servers holding the private identities and financial workflows of the organisation.

Under India’s new data protection regime, incidents like this are no longer treated as isolated cybersecurity events. They now carry direct legal and operational consequences under the Digital Personal Data Protection Act, 2023  (“DPDP Act”) and the DPDP Rules, 2025 (“DPDP Rules”).

The Incident in Focus

In late February 2026, USHA International Limited reportedly appeared on the leak site of a ransomware group known as “Vect.” On 28 February 2026, this group listed the company on the dark web, claiming access to multiple categories of internal data, including employee information, SAP databases, CMS and CMR systems, and other internal organisational records.

This was not the usual “a few emails were exposed” story. On the face of it, the listing suggested potential access to large volumes of personal data—employee records, HR files, and other information linked to identifiable individuals, alongside critical business systems.

The DPDP Lens 

Under the DPDP Act, personal data refers to any data about an individual who can be identified directly or indirectly. 

In a manufacturing environment, this can include employee and ex-employee records, payroll information, contact details, vendor and contractor data, customer and dealer databases, and user accounts linked to identifiable individuals. Much of this information is often stored and processed within interconnected HR, payroll, and ERP systems such as SAP.

This is where the reported USHA incident becomes particularly relevant from a data protection perspective. The key legal question is not simply whether a cyberattack occurred, but whether personal data was compromised and the organisation fulfilled its obligations under the DPDP framework.

If the claims made by the ransomware group are ultimately found to be accurate and personal data was accessed, disclosed, altered, or otherwise compromised without authorisation, the incident could constitute a personal data breach under the DPDP Act. In such a scenario, the focus would extend beyond the technical details of the attack to the adequacy of the organisation’s data protection and security measures.

The DPDP framework requires Data Fiduciaries (USHA Limited, in this case) to implement reasonable security safeguards to prevent personal data breaches. Depending on the nature of the organisation, the volume and sensitivity of data processed, and the risks involved, such safeguards may include measures such as access controls, encryption, logging and monitoring, vulnerability management, backup and recovery mechanisms, and ongoing employee and vendor awareness initiatives.

In fact, where a personal data breach occurs, the organisation is required to notify the Data Protection Board of India and affected individuals without delay. Under the DPDP Rules, a detailed report must be submitted to the Data Protection Board of India within 72 hours of the Data Fiduciary becoming aware of the breach. 

Regulatory scrutiny is unlikely to focus solely on how attackers gained access. It may also examine broader governance questions, including whether:

• access rights were appropriately managed;
• critical systems were adequately monitored;
• recovery mechanisms were effective;
• the organisation had established a structured approach to privacy and security governance

In other words, under the DPDP regime, a ransomware incident is no longer viewed solely as a cybersecurity event. It can also become a test of whether the organisation took reasonable and proportionate steps to protect the personal data entrusted to it. Where those safeguards are found to be inadequate, organisations may face significant regulatory consequences, including financial penalties up to INR 250 crores under the DPDP Act.

What Indian Companies Should Do Now

The most dangerous thing about cyber risk is how ordinary it looks before an incident occurs. A dormant vendor account, an unpatched system, a missed access review, or a single click on a phishing link can quietly create vulnerabilities long before anyone realises there is a problem. The DPDP era requires organisations to move beyond reactive cybersecurity and build a culture of privacy, security, and accountability. 

In practical terms, companies should focus on six immediate priorities:

1. Strengthen access governance
   Regularly review access to critical systems such as SAP, ERP, HR, and payroll platforms. Dormant accounts, shared credentials, and legacy vendor access should be identified and removed, while access reviews should form part of a broader data governance framework.
2. Build resilient backup and recovery capabilities
   Backups should be encrypted, regularly tested, and segregated from production environments. An effective recovery strategy can often determine whether a ransomware incident becomes a temporary disruption or a prolonged business crisis.
3. Make multi-factor authentication the default
   Sensitive systems, remote access tools, email platforms, and business-critical applications should be protected through strong authentication measures to reduce the risk of credential compromise.
4. Invest in continuous employee awareness
   Technology alone cannot prevent breaches. Employees across functions—from factory operations and HR to procurement and leadership—should receive regular, scenario-based customised training on phishing, password hygiene, social engineering, and responsible data handling.
5. Develop a DPDP-ready incident response plan
   Organisations should clearly define roles, escalation protocols, communication responsibilities, and decision-making processes before an incident occurs. When a breach happens, speed, coordination, and clarity matter as much as technical recovery.
6. Elevate cyber risk to the boardroom
   Cybersecurity and data protection should be treated as governance and business continuity priorities, not merely IT concerns. Leadership teams should regularly review cyber preparedness, privacy compliance, and incident response readiness alongside other strategic risks.

Ultimately, the goal is not just to prevent every incident—an impossible standard in today’s threat landscape. It is to demonstrate that the organisation has taken reasonable, proportionate, and accountable steps to protect the data entrusted to it.

Wrapping Up 

Whether or not the claims surrounding the reported USHA incident are ultimately substantiated, the lesson for Indian businesses is clear: cybersecurity is no longer just an IT concern. It is a business continuity, governance, and data protection issue.

A single compromise can disrupt operations, expose personal data, trigger regulatory obligations, and erode stakeholder trust. In the DPDP era, organisations are expected to demonstrate not only that they can respond to incidents, but that they have taken reasonable steps to prevent them.

That is where preparedness matters.

At Rainmaker, we work with organisations to bridge the gap between cybersecurity, privacy, and workplace accountability. Through DPDP readiness assessments, role-based awareness programmes, privacy governance workshops, DPO consultancy support, and leadership training, we help businesses build cultures where data protection is understood not just as a compliance requirement, but as a business responsibility. 

Because when it comes to data breaches, the real test is not what happens after an incident. It is whether the organisation was ready before it happened.

Suggested Reading

1. India’s DPDP Act, 2023: How Data Principals and Data Fiduciaries Are Redefining Data Protection, Digital Trust, and Leadership in India’s Digital Economy | Rainmaker
2. India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses | Rainmaker 
3. Significant Data Fiduciary Under India’s DPDP Act: Boardroom Duties, DPO Role, DPIAs and AI Risk Governance | Rainmaker 
4. Reimagining Consent in India’s Digital Age: What the DPDP Act & Rules 2025 Mean for Data Privacy and Compliance | Rainmaker 
5. DPDP Rules, 2025 Compliance: 2026 FAQs for Indian Companies | Rainmaker