On February 27, 2024, a hacker got into VeriSource Services, a US-based HR and employee benefits administration platform. The attacker was inside the system for one day before unusual activity was detected. By then, the employee data was already gone.
Four million employee records. Names. Home addresses. Dates of birth. Gender. Government identification numbers. Employees and their dependents from dozens of companies across industries are all stored on one shared HR platform.
Here is what made this breach different from most.
The companies whose employees were affected did not run the breach investigation. They did not know what records VeriSource held on their behalf. They could not tell their own employees what had happened, because they did not know the scope themselves.
It took VeriSource fourteen months to complete its investigation and notify the full four million victims. For over a year, those employees went about their lives not knowing that their personal records were already in criminal hands.
The companies that hired those employees had outsourced their HR data to a platform they did not control. When that platform was breached, they had no visibility, no audit trail, and no ability to respond. They were accountable for data they could not account for.
That distinction is not academic. Under India’s Digital Personal Data Protection Act, which came into full operational force in November 2025, that situation is precisely the one every Indian employer must now avoid.
The Question Nobody in HR Is Asking
When you hire a new employee and collect their Aadhaar card, PAN card, bank account number, and home address, a simple question follows: where does that data actually live?
Not where you filed the paper copy. Where does the digital record sit? On whose server? Under whose administrative access? Subject to whose security controls?
For a large number of Indian companies today, the honest answer is: on a vendor’s shared cloud server, somewhere, managed by a team you have never audited, under a contract that gives you no visibility into what they do with it.
That is not a criticism of cloud technology. Cloud infrastructure, managed correctly, can be extremely secure. The problem is not where the data is hosted. The problem is who controls it, who can see what is being done with it, and whether you, as the employer, can answer for it if something goes wrong.
The VeriSource case is the clearest possible illustration of what that gap looks like in practice. Those employers had no answers. Their employees, four million of them, paid the price.
Why This Is an Indian Problem, Not Just an American One
The VeriSource breach happened in the United States. But the structural failure it exposed, an employer storing employee personal data on a platform it does not control, with no real-time visibility and no independent audit capability, is not unique to any country.
Walk through a typical Indian company’s HR data situation.
A manufacturer in Pune with 400 employees. HR is managed by two people. Employee records live in a WhatsApp group, a shared folder on the HR manager’s laptop, and a mid-range payroll SaaS tool that was chosen because it was affordable and easy to set up. Nobody from IT was involved in the decision. Nobody audited the SaaS vendor’s security posture. The vendor’s servers are somewhere in a data centre the company has never visited.
An NBFC in Mumbai with 150 employees. They use a cloud HR platform from a national vendor. The vendor’s support team has admin access to the database for maintenance purposes. There is no log of when the vendor’s staff accessed employee records. There is no contractual obligation on the vendor to notify the NBFC if their systems are audited or breached. The NBFC’s IT team has no independent view into what the vendor holds.
A school in Nagpur. Staff records in a mix of Excel files and a fee management software that also manages staff data as an afterthought. Former teachers from five years ago are still in the system because nobody ever ran a deletion exercise.
In each case, the employer collected the data. The employer is the Data Fiduciary under the DPDP Act. But the employer does not control the data. They cannot produce an audit trail. They cannot confirm what a vendor has done with it. And if the vendor is breached, they will find out the same way those VeriSource clients did: late, incomplete, and with no ability to respond quickly.
What the DPDP Act Actually Holds You Accountable For
The DPDP Act is straightforward on this point. As a Data Fiduciary, you are responsible for the personal data you collect, regardless of which system you store it in or which vendor processes it on your behalf.
That accountability has specific operational requirements that most Indian employers are not currently meeting.
- You must know what you hold. The Act requires you to be able to produce a complete record of what personal data you hold about an individual, on request, within 90 days. If your employee data is spread across four systems managed by three vendors, you cannot do this. The inability to answer this question is itself a compliance failure, not just a practical inconvenience.
- You must control access to it. Access to employee personal data must be limited to those with a legitimate, documented reason. Every access event should be logged. If your HR platform’s vendor has admin access and you have no record of when or why they used it, you do not have access control. You have access hope.
- You must delete it when the purpose ends. When an employee exits, their personal data must be retained only as long as legally required and then deleted. This deletion must cover every system that holds the data. If your cloud HR vendor retains records indefinitely by default, and you have no mechanism to trigger deletion, you are accumulating DPDP liability with every employee who leaves.
- You must be able to respond when something goes wrong. If a breach occurs, you must notify the Data Protection Board within the prescribed timeline after discovery. That notification requires knowing what data was affected, whose data it was, and what was in it. If the answer lives entirely on a vendor’s system that you cannot independently audit, you cannot notify accurately. VeriSource took fourteen months because the data was their operationally, but not governably. Your situation may not be very different.
- You must bind your vendors and verify them. The Act requires contractual data protection obligations on every processor you engage. But a contract clause without operational visibility is paper compliance. You need the ability to actually verify what your HR vendor does with your employees’ data, not just their assurance that it is safe.
The Real Difference Between On-Premise and Vendor-Controlled HR Data
This is the conversation that most CTO and HR discussions in Indian SMBs skip entirely, because it sounds like an IT infrastructure topic. It is not. It is a governance and accountability topic.
When your employee data lives in a system you host, whether on your own servers or in a private cloud environment you manage, several things become possible that are not possible when the data lives on a vendor’s shared platform.
- You can audit it yourself. You do not need to request a report from a vendor. You can run your own query: who accessed which records, when, from which device, and what they did. This is what independent auditability looks like. Under DPDP, this is what the Data Protection Board will look for.
- You can enforce your own deletion policies. When an employee exits, your IT team can trigger a deletion workflow that runs inside your own system, under your own control, with a log you own. You are not dependent on a vendor’s default retention settings or on submitting a support ticket to request deletion.
- You control who has admin access. No vendor support team has privileged access to your employee records unless you explicitly grant it, for a defined purpose, for a defined period. Every access can be logged and reviewed.
- You can respond to a breach independently. If something happens to your network, you can investigate your own systems. You do not have to wait for a third-party vendor to complete their investigation and tell you what happened to your data. The fourteen months that VeriSource took to notify victims were partly a function of data being spread across multiple client environments that required manual reconciliation. When the data is in your system, you own the investigation.
This is not an argument that cloud HR platforms are inherently insecure. It is an argument that control matters, and that under the DPDP Act, accountability without control is an unstable position.
The CTO who says “we use a reputable SaaS HR tool, so we are fine” needs to ask a harder set of questions: can we produce an access log? Can we verify the deletion? Can we notify the Data Protection Board independently of whatever our vendor tells us? If the answers are no, the tool’s reputation does not close the compliance gap.
What Is at Stake Beyond the Regulation
Set aside the DPDP Act for a moment.
Think about what your employee data actually contains. An Aadhaar number linked to a biometric. A PAN number linked to a tax identity. A bank account number where the salary is deposited. A home address. A date of birth. For many employees, a background verification report including residential history and references.
This information, in criminal hands, enables a specific set of frauds that are extremely difficult to unwind. Fake loan applications in the employee’s name. SIM swap attacks using Aadhaar-linked mobile numbers. Identity theft that takes months to detect and years to fully resolve.
The employees who gave you this data did so because they needed a job. They trusted your organisation with information they cannot change if it is leaked. Their Aadhaar number is not like a password. They cannot reset it.
The companies that take this seriously are not doing it primarily because of a law. They are doing it because the people whose data they hold are their own workforce. The obligation is not just regulatory. It is straightforward: if you collect it, you protect it. And you can only protect what you control.
What Happens When You Do Not Control Your HR Data
The VeriSource scenario is the extreme version. But smaller versions of this failure happen in Indian organisations regularly, and most of them go unnoticed.
A payroll SaaS company updates its access permissions structure, and a configuration error briefly exposes client employee records to other clients on the same platform. Nobody knows. No audit log exists on the client side. No notification is sent.
A background verification vendor is acquired by another company. The new parent retains all historical verification data, including the employee records of your current and former staff, under a different privacy policy you never agreed to. You have no mechanism to object or require deletion.
An HR manager leaves your organisation. They had admin credentials to your cloud HR platform. Because the platform was managed by the vendor, your IT team has no visibility. The credentials remain active on the vendor’s system for months after the manager’s exit because nobody thought to notify the vendor.
Each of these scenarios involves data you collected from people you employ or employed, for which you are a Data Fiduciary under the DPDP Act. And in each case, the gap exists because the data is not in your control.
6 Things Every Indian HR Head and CTO Must Address Now
1. Map where your employee data actually lives
Not where you believe it lives. Where it actually sits. List every system: payroll tool, attendance software, HR platform, background check vendor portal, health insurance TPA, email archives, and shared drives. For each, answer: who has admin access, can we produce an access log, and do we have independent deletion capability?
2. Review the case for on-premise or private-instance HRMS
For any organisation handling more than 50 employees with sensitive identification data, the question of where the HRMS is hosted is a governance question, not just a cost question. An on-premise deployment or a private cloud instance that your IT team manages means you own the access logs, you own the deletion workflow, and you own the audit trail. This is the architecture that makes DPDP accountability possible.
OfficeSIA is designed specifically for this requirement. It can be deployed on your own infrastructure, giving your IT team full administrative control over access, audit logs, and data lifecycle. Your employee data does not sit on a shared vendor platform. It sits in a system you own and manage, with Skeletos providing support without requiring persistent access to your data.
3. Build a structured exit workflow
When an employee leaves, a cascade of data obligations triggers. System access must be revoked. Personal data must be reviewed for retention necessity. Data held by external vendors, the payroll processor, and the insurance TPA must be communicated for deletion. This cannot happen manually and reliably at scale. A structured HRMS with an automated exit workflow handles this systematically, with a log that proves it happened.
4. Audit your HR vendors this quarter
Every vendor that processes employee data on your behalf must be assessed against a specific set of questions: do they have a documented data protection policy, do they log access to your data independently, can they notify you within a defined window of a breach, and can they confirm deletion on request? The answers, not the vendor’s reputation, determine whether your data is actually protected.
5. Give your IT team visibility into HR data governance
In most Indian SMBs, the HR function and the IT function operate independently. HR selects HR software without IT involvement. IT manages network security without knowing what HR systems are live. Under DPDP, this separation is a liability. HR data governance requires IT involvement: access control architecture, system monitoring, incident response planning. Both functions need to be aligned, and the HRMS must sit in a system that IT can actually see and manage.
6. Treat former employee data as an active obligation, not an archive
The data of employees who left two years ago is not a historical record that can be ignored. It is personal data that the DPDP Act requires you to retain only for legally justified purposes and delete otherwise. Run a systematic review of your ex-employee data this quarter. Where there is no legal retention requirement, delete it. Where there is, document the justification. This is the kind of evidence the Data Protection Board will ask for.
The Bigger Picture
The DPDP Act formalises something that was already true: employers who collect employee data have always had an obligation to protect it. The law has made that obligation explicit, time-bound, and enforceable.
But the more important shift is structural. Most Indian organisations collect employee data in systems that were chosen for convenience or cost, not for governance. The data accumulates across multiple platforms, across vendor environments, across email inboxes and shared drives, without any systematic map of what exists, who can access it, or how long it should be kept.
VeriSource is an extreme example of what happens when that approach meets a determined attacker. Fourteen months. Four million records. No independent audit capability. Employers who could not account for their own employees’ data.
The organisations that navigate this well are not the ones that spend the most on compliance. They are the ones that build HR data governance into their operational infrastructure from the start. That means an HRMS they control. Access logs they own. Deletion workflows they can verify. And IT and HR teams that operate from the same governance architecture.
That is not a complex requirement. It is a structural one.
Final Thought
The VeriSource question is not, ultimately, about that specific company. It is about a structural arrangement that most companies accept without examining it: the assumption that outsourcing HR administration means outsourcing HR data governance too. It does not. You can outsource the management. You cannot outsource the accountability.
Under India’s DPDP Act, the employer who collected the Aadhaar card is the Data Fiduciary. Not the vendor. Not the platform. You.
If you cannot produce an access log, cannot trigger a deletion, and cannot independently investigate a breach in your own employee data, the question is not whether that is a compliance risk. The question is when it becomes one.
The answer to that question is now determined by the Data Protection Board’s calendar, not yours.
At Skeletos IT Services, we help Indian companies deploy OfficeSIA, a structured HRMS built for the Indian compliance environment that can be hosted on your own infrastructure, giving your IT team full control over access logs, employee data lifecycle, and audit trails. Your employees’ Aadhaar, PAN, and payroll data stay in a system you own. If you want to understand what on-premise or private-instance HR data governance looks like for your organisation, let us show you in 30 minutes.
Note: The VeriSource Services breach is based on verified public disclosures reported by BleepingComputer, SecurityWeek, The Register, and People Matters India between April and June 2025.
