Introduction
Cybersecurity is no longer just a technical issue; it has firmly moved into the public policy and regulatory domain. Governments across the world are actively reshaping how organizations build, secure, and manage digital systems. At the centre of this shift lies a critical but often overlooked component: APIs (Application Programming Interfaces).
APIs power today’s digital economy. From banking and fintech integrations to healthcare systems and government platforms, APIs enable seamless data exchange across systems. But this same capability has also made them one of the largest and highly susceptible attack surfaces in modern cybersecurity.
While the Digital Personal Data Protection Act, 2023 establishes principles for lawful data processing, it does not explicitly address how these principles translate into API-level controls, creating what can be described as an ‘API blind spot’ in enforcement, meaning the DPDP Act does not provide explicit guidance on API security standards, authentication controls, or real‑time monitoring, leaving organizations compliant in principle but exposed in practice.
Understanding the Risk: How APIs Actually Work
At a very basic level, an API is simply an interface that enable two systems to talk to each other.
When one open a banking app, book a cab, or log into a platform using one's device; multiple systems are exchanging data in the background. The request is sent from one system to another through an API, which then returns the required information to manage the transaction.
To control this exchange, systems rely on something called an API key or token. This security overlay in the API ecosystem, enables security and safeguard:
Who is making the request
What data is allowed to be accessed
What actions are permitted to perform the exchange
What Happens When an API Key Is Leaked
If an API key is exposed through poor configuration, hardcoding in applications, or weak access controls, an attacker can use it to impersonate a legitimate system. From the outside, the requests look completely valid. This then can lead to an adverse impact:
Attackers can pull large volumes of personal data without triggering alarms
Data can be accessed directly, bypassing user-facing security layers
Systems may continue to respond as if the requests are authorized.
Where Policy Is Catching Up:
Regulators are beginning to recognize that APIs are not just technical tools they are data pipelines, that have significance influence on the overall security posture of any ecosystem.
In sectors like finance, policies such as:
Open Banking frameworks
Account Aggregator ecosystems
Data protection laws are indirectly regulating APIs by controlling how data is accessed and shared.
For example:
Consent-based data sharing mandates secure API flows
Data minimization principles require controlled API exposure
Breach notification laws apply when API vulnerabilities lead to data leaks
However, most regulations still do not explicitly define:
API security standards
Responsibilities across API ecosystems
Real-time monitoring and access control requirements
This leaves organizations operating in a grey zone between compliance and actual security.
When does API Weakness becomes a DPDP Risk
Here is a list of a few Use Case, that can be quoted from Real World events:
1. Zoomcar Data Breach (2025)
A breach impacting over 8.4 million users exposed names, phone numbers, email IDs, and travel data.4
Attack Flow:
Data stored in backend systems connected via application interfaces
Weak access controls allowed unauthorized querying of user data
Data extracted in bulk and leaked externally
DPDP Risk:
Failure to implement reasonable security safeguards 7
Exposure of personal data beyond intended purpose
Lack of access restriction on sensitive user data
2. Air India Data Breach (SITA Passenger Service System)
While widely reported as a third-party breach, the exposure involved passenger data accessible through integrated airline systems and interfaces.
Attack Flow (API/Integration Layer Angle):
Data stored in SITA PSS (shared aviation system)
Multiple airlines accessed data via integrated service interfaces (APIs)
Compromise of the system exposed:
Passenger names
Passport details
Ticket information
DPDP Risk:
Third-party system exposure
Weak control over data access across integrations
Lack of end-to-end governance over shared data systems
3. Aadhaar Data Exposure via Unsecured API Endpoints
India’s Aadhaar ecosystem has seen multiple instances where personal data was exposed due to unsecured APIs and query interfaces across government-linked systems. 6
Attack Flow:
Third-party and state-linked portals integrated with Aadhaar database
Unprotected or weakly secured API endpoints
Attackers (or unauthorized users) could:
Query Aadhaar details using simple parameters
Retrieve personal data at scale
Lack of authentication and access control enabled mass data exposure
Data Exposed:
Names
Aadhaar numbers
Demographic details
Linked personal information
DPDP Risk Mapping
Failure of reasonable security safeguards (Section 8) 7
Broken authentication and authorization at API layer
Exposure of sensitive personal data without lawful access controls
Lack of governance over third-party integrations
Note: Recent global research indicates that 57% of organizations experienced at least one API-related data breach in the past two years, with many reporting multiple incidents and limited ability to detect or prevent such attacks at the API layer.3
The Real Policy Gap: Where DPDP Law cautions API Security violations
The DPDP Act establishes clear principles on consent, purpose limitation, data minimalization, and essential security safeguards. However, it remains technology-agnostic.
This creates a gap when applied to API-driven systems.
Today’s data flows are not routine movements, they move continuously across APIs, third-party integrated systems, and through cloud systems. The DPDP Law, does not explicitly address, however it mandates safeguard in the privacy domain, hence there is a need to evaluate:
How APIs should be secured
Standards for authentication and token management
Controls for excessive or automated data access
Real-time monitoring of data exposure through APIs
Clear accountability in multi-party data ecosystems
Furthermore, organizations will need to comply with the law in principle, while still exposing data and in the engagement of API in practice.
Compliance isn’t Protection: The new normal that leadership should adhere to
An organization may appear fully compliant, its consent methodology in place, privacy notices are published, processing activities are documented, etc. However, this does not completely imply that personal data is protected in practice.
If APIs allow unrestricted or poorly governed access, sensitive data can still be exposed at scale, often without immediate detection. In such cases, systems may function as intended, but data may be accessible beyond lawful and consented boundaries.
This highlights a critical gap: regulatory compliance does not automatically ensure effective data protection. Under the DPDP framework, the real risk lies in how data is accessed, shared, and used across interconnected systems.
For Policy Leaders and Data Protection Officers, this requires a shift from static compliance to dynamic governance focusing on controlling data flows, ensuring accountability at the access level, and continuously enforcing protection measures in real time.
Conclusion: The Future of Data Protection Is About Data Flow
India’s DPDP framework establishes a strong legal foundation for data protection. However, the industry needs to migrate to a more monitored environment with due care to interconnected, real-time communication, and API-driven.
This fundamentally changes the nature of risk.
The next generation of data protection challenges will not arise solely from system breaches, but from continuous and often invisible data exposure through APIs and its defective integrations.
For organizations, the question is no longer whether systems are secure. It is whether data access is continuously controlled, monitored, and aligned with legal and consent boundaries.
Those that recognize this shift early will not only remain compliant but also build resilient and trustworthy digital ecosystems.
References:
1. Mozilla Developer Network (MDN), An introduction to APIs,
2. OWASP Foundation, OWASP API Security Top 10 – 2023
3. Traceable AI, 2025 Global State of API Security Report, 2024.
4. ’Zoomcar Hacked – 8.4 million Users’ Sensitive Details Exposed’, Cyber Security News, 16 June 2025
7. Section 8, Digital Personal Data Protection Act, 2023