HDB Financial Services Finds Breach at Data ProcessorAn Estimated 600,000 Customers Affected by Breach
Records of more than half a million customers of a lending service owned by India's largest private sector bank are apparently downloadable for free on a criminal data breach forum.
A hacker who uses the handle "kernelware" on Monday posted files, later consolidated into a single spreadsheet, of records allegedly stolen from HDB Financial Services, a nonbank financial company owned by HDFC Bank. The hacker says the files contain more than 73 million entries dating from May 2022 through February 2023 including data such as emails, marriage status, gender and credit scores.
Privacy Affairs estimates the leak affects around 600,000 customers.
HDFC Bank initially denied a leak, writing that "our systems have not been breached or accessed in any unauthorized manner." It later told Reuters that it had found a data breach at one of its service providers that processes customer information. HDB works with hundreds of outsourcing vendors that process customer loan applications on its behalf. The bank also said there is no data leak at HDFC Bank itself. The financial institution did not respond to an inquiry from Information Security Media Group.
Privacy Affairs flagged Twitter messages from Indian Twitter users reporting failed transfers and even scam messages, although ISMG could not verify whether they are accurate. Multiple fake HDFC Twitter accounts, at least some of which if not all are bots, are responding to customer complaints in likely attempts to further scam customers. The fake account @HDFC_HDFC is still live as of publication, as is @HDFCBan82738223. Twitter suspended at least one of the fake accounts.
Venkata Satish Guttula, director of security at web portal Rediff.com India, told Information Security Media Group that the financial sector benefits from third-party risk assessments and proactive strategies to manage the risk of vendor breaches.
"While third-party vendors can bring many benefits, such as cost savings, expertise and flexibility, they can also introduce significant risks, such as data breaches, compliance violations, reputational damage and legal liabilities," Guttula said.