Artificial intelligence has transformed nearly every industry — and cybercrime is no exception. In 2025, AI-powered cyberattacks are no longer a distant threat. They are happening right now, targeting businesses of every size across India, and the legal consequences for unprepared organisations can be severe.
What Are AI-Powered Cyberattacks?
Traditional cyberattacks relied on human hackers manually probing systems for weaknesses. AI changes this completely. Modern attacks use machine learning algorithms to:
- Scan thousands of systems simultaneously for vulnerabilities in seconds
- Craft highly convincing phishing emails personalised to each target using publicly available data
- Bypass security systems by learning how they work and adapting in real time
- Automate ransomware deployment across entire networks faster than human response teams can react
The result is attacks that are faster, harder to detect, and far more damaging than anything seen before.
The Indian Legal Landscape
Indian businesses operating in this environment are governed primarily by the Information Technology Act 2000 and its amendments, along with the newly enacted Digital Personal Data Protection Act 2023 (DPDP Act).
IT Act 2000 — Key Obligations
Under the IT Act, organisations classified as intermediaries or body corporates that handle sensitive personal data are legally required to implement reasonable security practices and procedures. Failure to do so — resulting in wrongful loss or gain — attracts liability under Section 43A, which can lead to significant compensation claims.
Specific cyber offences relevant to AI-powered attacks include:
- Section 43 — Unauthorised access and damage to computer systems
- Section 66 — Computer related offences (imprisonment up to 3 years)
- Section 66C — Identity theft (imprisonment up to 3 years)
- Section 66D — Cheating by impersonation using computer resources
DPDP Act 2023 — New Obligations
The DPDP Act introduces a significantly stricter framework. Businesses that suffer a data breach — whether caused by an AI attack or otherwise — now have specific obligations including:
- Mandatory breach notification to the Data Protection Board of India
- Notification to affected data principals (the individuals whose data was compromised)
- Potential penalties of up to ₹250 crore for significant breaches
This is not theoretical. Regulators globally are already issuing massive fines for data breaches, and India’s Data Protection Board is expected to follow suit once fully operational.
Common AI Attack Vectors Targeting Indian Businesses
1. AI-Generated Phishing (Spear Phishing)
AI tools can scrape LinkedIn, company websites, and social media to craft emails that appear to come from your CEO, your bank, or a government authority. These are nearly indistinguishable from legitimate communications.
Legal risk: If employees are tricked into transferring funds or revealing credentials, recovery is extremely difficult. Civil suits for recovery and criminal complaints under Section 66D are possible but time-consuming.
2. Deepfake Fraud
AI-generated video and audio of company executives are being used to authorise fraudulent transactions. Several Indian companies have already fallen victim to deepfake-enabled wire fraud running into crores.
Legal risk: Falls under Section 66D (impersonation) and potentially Section 420 IPC (cheating). However, prosecuting offshore attackers remains challenging.
3. Automated Ransomware
AI-driven ransomware identifies the most valuable files on a network, encrypts them, and demands payment — all within minutes of initial access.
Legal risk: Paying ransom may itself carry legal complications. The Reserve Bank of India and CERT-In have issued advisories discouraging ransom payments. Businesses must report such incidents to CERT-In within 6 hours of discovery under the 2022 CERT-In directions.
4. AI-Powered Credential Stuffing
Leaked username and password combinations from previous breaches are fed into AI systems that test them across thousands of platforms simultaneously until they find matches.
Legal risk: If customer accounts are compromised as a result, the business faces liability under both the IT Act and the DPDP Act.
What Indian Businesses Must Do Right Now
Legal Compliance Steps
1. Appoint a Data Protection Officer (DPO) Under the DPDP Act, significant data fiduciaries are required to appoint a DPO. Even if your business is not yet classified as significant, appointing one proactively demonstrates due diligence.
2. Draft and Implement a Cybersecurity Policy A documented, board-approved cybersecurity policy is essential. In any litigation or regulatory investigation, the absence of such a policy will be held against you.
3. Establish an Incident Response Plan You have 6 hours to report a cybersecurity incident to CERT-In. Without a pre-drafted incident response plan, meeting this deadline is nearly impossible.
4. Review Vendor Contracts AI attacks frequently enter through third-party vendors. Your contracts must include cybersecurity warranties, breach notification obligations, and indemnity clauses.
5. Conduct Regular Security Audits The IT Act’s requirement for reasonable security practices is assessed against what a similarly placed organisation would have done. Regular third-party audits are your best evidence of compliance.
Practical Security Steps
- Enable multi-factor authentication across all systems
- Train employees to identify AI-generated phishing — traditional training is no longer sufficient
- Segment your network so a breach in one area cannot spread to all systems
- Maintain offline backups that ransomware cannot reach
- Subscribe to CERT-In alerts for emerging threats
When to Call a Lawyer
Many businesses make the mistake of calling their lawyer after the damage is done. Ideally legal counsel should be involved:
- Before a breach — to review compliance, contracts, and policies
- During a breach — to manage notification obligations and preserve legal privilege over investigation findings
- After a breach — to handle regulatory investigations, customer claims, and potential litigation
Conclusion
AI-powered cyberattacks represent a fundamental shift in the threat landscape. The Indian legal framework is evolving rapidly to address this — the DPDP Act, CERT-In directions, and an increasingly active regulatory environment mean that cybersecurity is no longer just an IT issue. It is a board-level legal risk.
Businesses that treat cybersecurity compliance as a box-ticking exercise will find themselves exposed — both to attackers and to regulators. The time to act is now, before an incident forces your hand.
SIRI Law LLP advises businesses and individuals on cybersecurity law, data protection compliance, and digital investigations. For a confidential consultation contact us at sirilawllp.com.