An anonymous hacker on March 6 uploaded an 8GB database on a hacker forum claiming that it contained leaked data from HDFC Bank. In an emailed statement to MediaNama, HDFC Bank on March 7 denied any data breach:
“We wish to state that there is no data leak at HDFC Bank and our systems have not been breached or accessed in any unauthorised manner. We remain confident of our systems. However we treat the matter of our customers data security with utmost seriousness and continue to monitor bank systems and the ecosystem to ensure the highest standards of data security and safety.”
MediaNama, however, was able to verify the authenticity of some of the leaked data, and it appears to belong to HDB Financial Services, a non-banking financial company (NBFC) that is a subsidiary of HDFC Bank.
Following our findings, we reached out to HDFC Bank once again, and this time we got confirmation from HDB Financial Services of a data leak at one of the service providers engaged by them:
“We wish to state that there is no data leak at HDB Financial Services and our systems have not been breached or accessed in any unauthorized manner. We understand that there was an incident of breach at one of our service providers end who processes some of our customer information.”
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
How did MediaNama verify the leaked data:
- We downloaded the leaked data from the hacker forum, which was around 8.19 GB in size and consisted of over 460 CSV files.
- We opened one of the CSV sheets dated February 17 that contained over 6 lakh rows of data. It appeared to be data related to EMI loan applications processed by consumer appliance shops. Each row of this CSV sheet contained details like the applicant’s name, phone number, email address, city, CIBIL score, requested EMI amount, approved amount, product details, dealer name, application date, application status, CIBIL score, etc.
- Since the sheet contained details of the dealers (shops) that processed the EMI applications, we contacted two of them: a home appliances shop in Tamil Nadu and one in Madhya Pradesh. These two shops confirmed that the details of their customers in the leaked sheet (name, phone, email, EMI amount, product, EMI approval status, etc) matched the details they collected from these customers and stored on their computers. They further clarified that these were EMI applications processed with HDB Financial Services and not HDFC Bank.
- We, therefore, have reason to believe that the leaked data is legitimate and belongs to HDB Financial Services.
We are not sharing a link to the hacker forum because the leaked database is still available for download, putting the privacy of lakhs of users at risk.
Why does this matter: The leaked data contains the personal data of lakhs of EMI applicants including their names, addresses, emails, phone numbers, etc, which could easily be used to carry out financial fraud and spam marketing.
How can the data be used for financial fraud: For example, a fraudster can send out fake messages (similar to the ones shown in the Tweet below) to EMI applicants offering to waive one month’s EMI in exchange for a nominal fee. Since the fraudster will have access to details of the EMI amount, product purchased, etc., the message can be framed to look legitimate. In such cases, an EMI applicant might be deceived into paying the fee, only to later find out that they were scammed.
.@HDFCBank_Cares, these fraudsters are going all out. Going by the large number of people who have received these messages over the last few days, what action have you taken to protect your customers? pic.twitter.com/PYdWWTyBUG
— Jency Jacob (@jencyjac) March 4, 2023
What is HDB Financial Services doing in response to the breach: “We have taken immediate steps to secure the service provider’s system to prevent any further unauthorized access. In addition, we are conducting a thorough review of the security measures adopted by the service provider to prevent similar incidents from happening in the future. We have also notified the regulator and CERT-IN and we are working with them to investigate this incident to the fullest,” HDB Financial Services informed us.
“We take responsibility to protect our customer’s personal and financial information very seriously. HDBFS is committed towards maintaining its customers’ trust and confidence and will continuously work to ensure the security and privacy of their information,” the company added.
What data has been leaked: There are five types of datasets we found, and they all appear to be related to EMI applications for consumer durables and two-wheelers:
- Two-wheeler loans dataset: Around 304 CSV files containing EMI applications related to two-wheelers. This dataset contains the most amount of personal data including the name, mobile number, address, vehicle details, EMI amount, email address, marital status, etc. of the applicant.
- Consumer goods EMI dataset: Around 126 CSV files consisting of EMI applications related to consumer goods like washing machines, TV, and smartphones. This set also contains personal data including the name, phone number, email, city, date of birth, CIBIL score, High Mark score, etc. of the various applicants.
- Consumer goods EMI dataset (reduced details): Around 5 CSV files consisting of EMI applications related to consumer goods and smartphones. This dataset doesn’t include as much personal data as the above datasets but includes customer names, contact numbers, CIBIL scores, High Mark scores, EMI amounts, product details, etc.
- Smartphones EMI dataset: Around 18 CSV files containing EMI applications related to smartphones specifically. This dataset does not contain any names but contains details of the EMI application such as the application number, applicant gender and age, postal code, CIBIL score, High Mark score, smartphone (make and model) details, and EMI amount.
- Unknown EMI dataset: The last dataset of around 6 CSVs contains details of EMI applications, but the type of products it pertains to is not clear. The dataset does not contain any names, but it contains details such as dealer code, city, application status, application source (Android or Web), etc.
What’s the time period of the data: The data appears to be from EMI applications processed between May 2022 to early February 2023.
How many people are affected: The hacker claims there are over 7 crore entries in total, but we found most of them to be duplicate entries since most of the CSV files have overlapping data. For example, the CSV file for smartphone-related EMIs dated February 17 has all the entries from the CSV file dated January 17 in it as well. Hence, it’s difficult to say how many unique entries are there in the leaked database.
Who could be the service provider that suffered the breach: We do not know for sure, but Mint reported that the leak happened at the loan aggregation company Lentra.ai, in which HDFC Bank is an early investor.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read
- RTI: NCERT To Conduct Security Audit Of DIKSHA, Denies User-Profiling And Data-Sharing Via The Platform
- 50 Indian Government Websites Hacked In 2022, No Update On National Cybersecurity Policy: IT Ministry
- What’s The Price Of Your Stolen Digital Identity? A New Report Claims It’s Rs 490
- Data Of 1.2 Million Cardholders Leaked, Including SBI, American Express, Finserv Customers
You must be logged in to post a comment Login