Karnataka residents lost an astonishing Rs 2,915 crore to cybercrimes in 2024, or an average of Rs 7.98 crore every single day, according to data compiled by the State Crime Records Bureau. Though the figure is shocking, statistics rarely convey lived realities. 

Picture, for a moment, an unknown intruder sitting in a dim, silent room, halfway across the world, scrolling through your most recent WhatsApp conversation. This unsettling scenario is not far-fetched. All that a scammer needs is for you to tap on a dubious link or install a suspect application. This proverbial open door opens consumers up to the lower end of the damage spectrum and illustrates the cost of neglecting basic smartphone security.

Though the surge in cybercrime is alarming in its own right, the parallel, and in many ways deeper, cause for concern is the state of cybersecurity itself. 

Karnataka’s IT/BT ministry describes cybersecurity as the protection of computer resources and networks from unauthorised access, information disclosure, theft of data or disruption of activities conducted on computer resources or networks. 

The latest India Cyber Threat Report (CTR), published by the Data Security Council of India (DSCI), underscores how fragile that shield has become. From October 2023 to September 2024, the study identified more than 369 million security incidents that affected 8.44 million distinct endpoints across the nation. The figures sketch a nationwide crisis, yet Karnataka’s own defences have long been porous. Until recently the state lacked a stand-alone cybersecurity policy, and while a central framework exists, its coverage is too broad and abstract to meet Karnataka’s specific needs.

Against this backdrop, Bengaluru emerged as the nation’s second-largest cyberattack hotspot. The city accounted for 11.93% of all incidents detected in India during the CTR’s study window, just behind Surat (14.58%). The third and fourth positions were occupied by Jaipur (11.72%) and Hyderabad (11.55%) respectively.

A senior officer in the Criminal Investigation Department (CID) attributes Bengaluru’s notoriety to its reputation as a start‑up capital and its concentration of multinational firms. Yet, the officer added, attackers are no longer limiting themselves to megacities.

“There is a growing pattern of incursions into smaller urban centres, perhaps because their cyber‑defence infrastructure is even weaker,” the officer said, stressing that Karnataka must prioritise the construction of modern security architecture without delay.

Targeted sectors

Sector‑specific numbers provide further clarity. Nationally, the three most frequently targeted verticals were healthcare (21.82% of total attacks), hospitality (19.57 %) and banking and finance (17.38 %). 

According to a senior cybercrime investigator in the Bengaluru city police, these figures are mirrored in Karnataka, even though the state has yet to conduct a formal audit of its own. As threats increase in complexity and become more technically difficult to keep up with, the lack of specific studies points to a troubling failure to prepare data-backed solutions. 

The industries at greatest risk indicate the attackers’ preferred motives: Service disruption, financial gain and data exfiltration. The most common techniques are Distributed Denial‑of‑Service (DDoS) barrages and malware‑based intrusions. 

“State‑sponsored hackers or thrill seekers typically pursue disruption,” the CID officer explained. “They deface websites, overwhelm servers with DDoS traffic or tinker with online services. The fallout is usually short‑lived but nevertheless damaging.” 

By contrast, actors who are after money infiltrate payment systems, exploit software vulnerabilities or seize operational technology, then demand a ransom to restore functionality.

Exploitation for profit

One case from last year illustrates the modus operandi. Last year, an unknown group of hackers targeted a loan lending application and exploited a vulnerability in their ‘loan repayment’ system. The app offered immediate online loans and facilitated repayment on its application itself through digital payment platforms. While repaying the loan, the sum after calculating interest would appear on the application, and clicking it would redirect to a new window that is a digital payment platform.

Typically, when redirected to the online payment platform, the payable sum would be fixed, and there would not be any option to edit it. In this case, attackers exploited a vulnerability in its working model and created an editing option. Post this, plenty of attackers' accomplices received instant loans of thousands of rupees, and while repaying, they edited the amount to one rupee, thereby siphoning off the remaining sum. 

A senior police official, who was part of the probe, admitted that investigators still have no viable leads.

Data‑theft cases can be even more severe. Here the adversaries focus on entire databases: patient records, user credentials, financial ledgers or intellectual property. 

Saidulu Adavath, Deputy Commissioner of Police (DCP), north Bengaluru division, explained that the stolen data can be used for numerous purposes, including extortion, data sale, which is a huge market in itself, and for furthering cybercrimes. 

"Using the stolen data, the cyber fraudster accesses their target's phone numbers, reviews their bank accounts, and attempts to execute some of the frauds, such as courier scams, or even makes sextortion calls," Adavath explained.

Malware strikes 

Malware attacks can turn into the most critical weapons which can even be brutal. Healthcare and hospitality top the vulnerability charts in part because both collect vast pools of sensitive citizen data. 

In November 2024, twelve nursing homes in Bengaluru were hit simultaneously by a coordinated malware strike. Although technically skilled police officers rushed to assist, none of the affected institutions possessed rudimentary incidents, that is response protocols. “Because the hospitals lacked contingency plans, restoring operations took valuable hours,” said one officer involved in the rescue. Despite this, no formal complaint was filed by the hospitals.

According to him, in such an attack situation, two operational measures take importance: Immediate response to keep the services, especially in the healthcare sector, running normally. The second is the detection of malware to secure data and deal with the aftermath of the attacks. 

“If the attacks disrupt operations of life-saving equipment, that could lead to deaths,” the officer said.    

Healthcare data, once compromised, becomes akin to a Swiss‑army knife for criminal enterprises. Bad-faith actors can reverse-engineer treatment protocols, generate artificial shortages of in‑demand pharmaceuticals or target specific individuals. 

A senior CID official put the stakes bluntly. “A hacker who infiltrates a hospital system could swap medication instructions or manipulate lab results in mere seconds. For a critically-ill patient, that is the difference between life and death.” He noted that such conditions are subject to the level of automation in a hospital.

The same principle applies to other sectors. Cryptocurrency exchanges can be raided for coins and government portals can be manipulated for cash or political leverage.

A lesson in complacency

The high‑profile case of Srikrishna alias Sriki remains Karnataka’s cautionary tale. Sriki penetrated the Karnataka e‑governance portal and lurked inside for roughly four months without detection, according to an investigator in the case who spoke to DH, on the condition of anonymity.

When asked if the crime was limited to stealing money, the officer quipped, “these servers even had thousands of tender proposals. The sheer amount of time Sriki spent on the server just to steal money raises eyebrows.” 

A Bengaluru‑based cybersecurity firm recently disclosed a breach in the Bangalore Water Supply and Sewerage Board’s (BWSSB) application portal. The board disputed any data loss but conceded an attack attempt had occurred. Collectively, these incidents highlight Karnataka’s lack of real‑time threat‑monitoring infrastructure.

Shivaling Salakki, programme manager at CySecK, the state’s public‑private cybersecurity initiative, underscored the missing elements. 

“We have an intelligence apparatus for conventional crimes, but cybercrime requires a specialised cadre fluent in both technology and law,” he said. 

Many government portals are built and maintained by the National Informatics Centre, a central government entity renowned for robust security standards. However, state‑managed sites fall under the purview of individual departmental IT teams. 

According to multiple officers, those teams are rarely trained in cutting‑edge security practices and receive scarce refresher courses. 

Inadequate infrastructure

Salakki explains that recruitment criteria should change to attract a deeper cybersecurity talent pool. Yet hiring is only one piece of the puzzle. Even when rules exist, they are often ignored. 

Standard protocols forbid staff from forwarding official correspondence to private email accounts or plugging unverified USB drives into office computers. Nevertheless, breaches are common because employees underestimate the risks. 

“If an attacker masquerades as a government domain, many officials will click the link without a second thought,” Salakki said. “Each lapse invites a potential large‑scale compromise.”

Data centres present another weak link. Karnataka stores departmental servers in multiple locations, which is not only problematic in itself, but each data centre operates under a different management regimen. Audits are sporadic, maintenance logs are incomplete and security upgrades lag behind evolving threats, according to senior police officers who monitor cyberattacks.

In the event of a coordinated strike on several centres, response teams would scramble to understand disparate procedures rather than execute a unified plan. Salakki therefore recommends that every data centre outsource security audits to firms empanelled by the Indian Computer Emergency Response Team (CERT‑In), the national nodal agency for cyber incidents.

Policy response

The list of missing infrastructure is sobering. Karnataka has no Quick Response Team (QRT) dedicated to cyber emergencies, no Security Operations Centre (SOC) to monitor system telemetry, no Security Information and Event Management (SIEM) platform for log analysis and, most crucially, no Security Orchestration, Automation and Response (SOAR) stack, the latter often called the beating heart of modern defence. 

For years, the state functioned without critical infrastructure to deal with cyber attacks, but a glimmer of optimism arrived in August 2024 when the Congress‑led government unveiled its Cybersecurity Policy 2024, under the leadership of Priyank Kharge, Minister for IT/BT and Rural Development and Panchayat Raj.

The policy’s vision is unambiguous: “To make Karnataka the leading cybersecurity hub in the country by instilling a culture of cybersecurity and data privacy amongst citizens and businesses and promoting a thriving cybersecurity industry and startup ecosystem in the state.” 

To achieve that vision, planners identified five pillars: Awareness‑building, skill development, research and innovation, industry and start‑up promotion, plus partnerships and collaboration. 

The architecture appears comprehensive at first glance, yet critics lament its lack of granularity. The policy mandates training for government employees but omits details about curriculum, training providers and assessment criteria. It designates the Chief Information Security Officer (CISO) as the enforcing authority but sidesteps questions about resources, workforce or a dedicated enforcement agency.

Implementation challenges

Salakki sees additional gaps. He argues that the document conflates cybercrime (traditional offences pursued through digital means) with cybersecurity (the technical discipline of protecting infrastructure) and fails to earmark a budget for either. He also recommends appointing a second CISO to oversee outreach and strategic planning so that day‑to‑day crisis management does not overshadow long‑term capacity‑building.

Karthik Bappanad, a cybersecurity consultant who contributed to drafting the policy, emphasises incentives. “Mandatory training alone will not motivate employees. Tie performance metrics or financial rewards to completion, and you stand a chance of genuine engagement.” 

Although the policy debuted in August 2024, Karnataka named its enforcement agency only in early 2025, when it announced the formation of a Cyber Command Unit (CCU) and appointed Pronab Mohanty as both Director General of Police and statewide CISO. 

Yet the CCU’s rollout has been sluggish. Several officers in Cyber and Economic Narcotics police stations say they have received no clear operating guidelines. 

Bureaucratic uncertainty

Moreover, there are numerous obstacles that may prevent the CCU from taking off successfully.

The policy has not clearly distinguished between cybercrimes and cybersecurity. It has also not mentioned anything regarding budgetary allocation, staff allotment, reporting structures, norms for collaboration with corporate entities, and SOP draftings. 

A senior Home Department official, requesting anonymity, warned that the workload might quickly overwhelm the CISO unless the government assigns a pool of experts to draft rules and manage implementation. 

When asked, Mohanty maintained that the CCU is progressing steadily and that the policy’s finer points will crystallise soon. 

Priyank Kharge, who oversaw the drafting of the policy, explained that the cybersecurity landscape is very dynamic and needs additions regularly. He assured that such additions are ongoing and will be made when needed.

“When it comes to the budget, as the landscape is also changing, we will assess the requirement and release the funds. We are working flexibly in this regard,” Kharge told DH.

He emphasised that cybersecurity warrants multi-department coordination, and it has been ensured that required departments are included. He was positive about the policy and noted that it would cover a wide range of cybersecurity aspects.

The private sector

While the public sector labours to catch up, the private sector shows a patchwork of readiness. Large multinationals pour resources into in‑house security teams, but many start‑ups and mid‑sized enterprises still lag behind. 

A senior police officer notes that companies often decline to notify CERT‑In, even when breaches affect consumer data, despite a legal obligation to do so, because they fear reputational damage. Some firms outsource security to managed service providers, whereas others build internal teams, each approach carrying distinct risks and benefits.

Achyuth Krishna, Head of IT and InfoSec at the Bengaluru‑based software firm Whatfix, believes the start‑up ecosystem is maturing. Bootstrapped ventures may initially struggle to invest in robust controls, he said, but they quickly learn that customers, investors and potential partners insist on industry‑certified security frameworks. 

“Potential clients and business partners often require vendors to demonstrate compliance with established cybersecurity frameworks, making certification a practical necessity and a critical entry barrier for winning business contracts,” he said.

Speaking about reporting cyber attacks, Krishna said: “Most cyber attacks do not make headlines or become public knowledge. Companies typically disclose major breaches only when required by law, regulation, or contractual obligations.”

However, countless smaller incidents such as attempted phishing, credential stuffing, or scanning for vulnerabilities, happen daily and are managed internally by security teams, he added.

The expansion of cybercrime‑as‑a‑service exacerbates the challenge. According to a senior city police officer, hackers now market tailored attack packages on darknet forums and even casual subreddits. Corporate espionage is an everyday reality: Rival firms hire these services to monitor competing products, reverse‑engineer new features or steal intellectual property. Artificial intelligence has amplified the threat, enabling the rise of polymorphic malware whose code mutates on the fly, thwarting signature‑based detection and waging relentless assaults on the target.

Given the growing sophistication of adversaries, cybersecurity is not just desirable but indispensable. Karnataka has begun to recognise this urgency, yet implementation lags behind aspiration, according to policy specialists quoted earlier.