- The more distributed and connected HR data becomes, the more entry points exist for breaches, manipulation, and unauthorised surveillance.
- In India, under the Digital Personal Data Protection Act 2023, organisations may have to pay a hefty amount of penalty for failing to protect employee identity.
As companies become more and more digital in terms of workforce management, vulnerability to data leakage remains a peak concern. With everything from recruitment data and background checks to payroll, performance reviews, and financial information sitting on multiple cloud platforms, companies are always at risk of losing sensitive personal and financial details of their employees.
According to IBM’s 2025 Cost of a Data Breach Report, while the global average cost of a data breach dropped, reaching $4.44 Mn, that of India’s grew to $2.51 Mn with almost a 6.9% year-on-year increase. It goes without saying that in the face of such threats, HRs need to tighten up their databases for better protection.
Today, many HR teams rely heavily on third-party tools, creating weak links that are outside the organisation’s direct control. Misconfigured cloud settings, lack of a uniform security framework, overly broad access permissions, and more such things further widen the exposure.
Even inside an organisation, excessive access permissions allow employees or contractors to view information they shouldn’t, increasing insider threat risks.
On these lines, Navin Fluorine International’s CHRO, Pankaj Lochan, recounted that many years ago, in one of his previous stints, a junior employee was found sharing performance ratings with a competitor, leading to continuous poaching. On interception, the company immediately put a ban on the use of personal emails and other accounts on the official systems.
“When cybersecurity is discussed, people talk about payroll data. However, to refrain from losing key talent to poaching, it is also important to secure the performance ratings,” Pankaj Lochan said.
How does that pose a threat?
A loose data loop or an insider like this makes it easier for cyber criminals and competitors to break through the web. This doesn’t just lead to poaching but also exposes employee data for financial fraud, identity theft, etc.
In May this year, Coca-Cola and its packaging partner, Coca-Cola Europacific Partners (CCEP), were hit by two separate cyberattacks in May 2025.
Later in August, recruiting firm Workday confirmed being cyber-attacked, through which business information, including names, email addresses, and phone numbers, etc was stolen.
Notably, phishing attacks through imitated HR emails, job offers, etc, have become very common these days. Unencrypted data transfers between HR tools create interception opportunities, especially when staff work remotely on unsecured networks.
In short, the more distributed and connected HR data becomes, the more entry points exist for breaches, manipulation, and unauthorised surveillance.
How does that affect an organisation?
A breach of cloud-based HR data hits an organisation at multiple levels, including operational, financial, legal, and cultural. When sensitive employee information is exposed or tampered with, it can trigger payroll fraud, identity theft, manipulation of candidate records, or even unauthorised changes to access privileges within internal systems. These incidents often end up disrupting critical HR processes like hiring, onboarding, attendance, and salary payouts, often bringing them to a halt.
Going forward, due to such issues, organisations may even face penalties under emerging data protection laws as the Indian government works on tightening the data privacy regulations.
In India, under the Digital Personal Data Protection Act 2023, organisations may have to pay a hefty amount of penalty for failing to protect employee identity.
The highest penalty of up to Rs. 250 Cr applies to failure of a Data Fiduciary to maintain reasonable security safeguards. Not notifying the affected individuals of a personal data breach, as well as violations of obligations relating to children, can each attract penalties of up to Rs. 200 Cr. Any other violation of the Act or Rules by a Data Fiduciary may attract penalties up to Rs. 50 Cr. Thus, it requires the Indian companies to tighten up their grip on the matter too.
Also, employees lose confidence in the company’s ability to protect their personal information, which affects morale, retention, and employer branding.
What needs to be done?
Recently, in November, multiple major companies in the US, namely The Washington Post, Logitech, American Airlines, and even Harvard University, underwent a data breach. This was targeted at Oracle E-Business Suite. Huge data on current and former employees, exposing names, bank account information, Social Security numbers, and tax IDs, were exposed across the organisations using Oracle’s software. Thus, the need for a stronger firewall and encrypted data is evident.
- All employee data must be encrypted both at rest and in transit, ensuring that even if systems are breached, the information remains unreadable.
- In the age of more democratised data within an organisation, to build a skills-first workforce, drawing the line between sensitive employee information and talent datasets is highly crucial. On this note, Rajendra Dhangay, Human Resources Director, Sekhmet Pharmaventures, said, “Access to employee data should strictly limit to HR professionals. Only basic professional details, like skills, experience, and role-related information, may be visible to select teams. For anything beyond that, individuals must go through HR.”
- As centralised employee data is the need of the hour, adopting multi-factor authentication and strong password hygiene for HRMS and other tools is an imperative.
- Both internal and external HR-tech vendors must be evaluated for compliance, security certifications, and breach history.
- Regular cyber audits, penetration testing, and timely patching should be non-negotiable.
But there are challenges
Cloud-based employee data storage and the long list of risks related to it are growing in parallel. Under such circumstances, the companies and HR vendors need to invest in cybersecurity. However, with the mounting number of concerns, allocation of huge funds may be challenging for a smaller organisation with a limited HR budget.
In addition, today, both small and large companies heavily rely on third-party recruiters. When companies outsource hiring, their candidate data flows through multiple external agencies and platforms.
- Each recruiter uses different systems with varying security standards, making it harder to control how CVs, ID proofs, background checks, and salary data are stored or shared.
- This widens the attack surface and increases the risk of leaks through vendors that may not follow strict cybersecurity protocols.
Plus, for companies with a larger or global workforce, it is tough to keep track of who is accessing their data, once it is up on the cloud storage.
- Once employee data is stored on cloud platforms, it becomes extremely difficult to monitor every access point.
- Without real-time visibility, organisations struggle to detect unusual activity, unauthorised logins, or insider misuse, leading to blind spots that can be exploited.
Overcoming these challenges
Companies of all sizes need to have closely knit teams of IT and HR for a constant check on the activities on the cloud storage.
- IT brings technical expertise, secure architecture design, encryption, access controls, and network monitoring, while HR understands the flow of employee data, who needs access, and where the vulnerabilities lie in everyday workflows.
- When these two functions collaborate instead of operating in silos, they can design storage environments where sensitive employee records are encrypted end-to-end, permissions are tightly regulated, and every access request is monitored in real time.
“Cybersecurity isn’t traditionally an HR domain, so we rely on our IT experts to manage it. From choosing the right cloud service to assessing every potential vulnerability, our IT team meticulously evaluates each detail,” Rajendra Dhangay further added.
Another emerging solution is blockchain
Instead of storing data on a single cloud server, blockchain distributes it across multiple nodes, eliminating a single point of failure. Documents are cryptographically sealed, access-controlled, and logged immutably, reducing tampering or misuse.
Awareness matters
HR teams and employees must understand the risks of logging into HRMS accounts from multiple devices or unsecured networks. They should also be trained to identify internal phishing attempts.
What is the future?
Keeping the growing vulnerabilities in mind, the Indian government has rolled out stricter policies of compliance. As cyberattacks grow more sophisticated, HR will no longer be a passive data user. It will become an active stakeholder in cybersecurity strategy, with security metrics becoming part of HR’s KPIs.
The future of work is highly digital and cloud-based. Having said that, securing the employee data becomes inevitable. In essence, the future HR function will be deeply integrated with security, automation, and transparent data governance.
