Moneycontrol PRO
you are here: HomeNewsBusinessBanks

No successful data breach yet, but tighter third-parties checks must for preventing privacy breach, HDFC Bank CISO says

More awareness among customers and employees essential to prevent data leakage, the CISO said

August 04, 2022 / 09:37 PM IST


There have been no successful cybersecurity data breaches at India’s largest private lender HDFC Bank between June 2018 and March 2022, the bank’s Chief Information Security Officer Sameer Ratolikar told Moneycontrol on August 4.

His comments were a day after the central government informed the Parliament that India’s banks reported 248 successful data breaches by hackers and miscreants between June 2018 and March 2022. Most of these data breaches pertained to card details leakage, and theft of business and non-business information, the Centre said.

“Data breach prevention is the most important challenge which the entire banking system has, to be very honest and transparent…to my understanding, these data breaches are prominent examples of cheating,” Ratolikar said.

Of the total 248 data successful data breaches reported by banks, 41 were reported by public sector ones while private sector banks reported 205 data leaks, the minister said.

“Today, in my understanding, the data is getting leaked by social-engineering tactics, where gullible people are disclosing their credit card number, debit card pin, net-banking ID, and password over a phone call or SMSs. A huge amount of data leakage is happening in these channels, rather than by technological means,” he said.


As per HDFC Bank’s FY22 annual report, the total number of frauds reported at the bank rose to 6,543 in FY22 from 5,232 in FY21. The total amount involved in frauds, though, reduced to Rs 505.9 crore during FY22, lower than Rs 1,640.8 crore rupees of frauds in FY21.

The trend witnessed at HDFC Bank is in line with the Reserve Bank of India’s (RBI) FY22 annual report data.

As per the RBI, banks reported a total of 9,103 frauds involving Rs 60,414 crore in FY22, as against 7,359 frauds amounting to Rs 1.38 lakh crore in FY21.

“Today, the model has shifted from phishing, which is e-mail based, to vishing--a voice-based mechanism trying to lure customers into divulging personal details…the modus operandi has moved to SMS’s,” the CISO said.

On the institutions side, banks are also prone to distributed denial of services (DDoS) attacks by hackers, malware attacks, and ransomware attacks, among others.

RBI action

As per Ratolikar, HDFC Bank assess its cybersecurity infrastructure on regular intervals through third-party security rating services, and regular audits are also carried out by the RBI and other independent agencies. The bank has “been maintaining data protection standards to a great extent”, Ratolikar said.

The private sector lender’s business growth was significantly impacted by the challenges faced after RBI imposed a moratorium on it from launching new digital products and offering credit cards in 2021. The regulator had undertaken the supervisory action after the bank’s servers repeatedly gave out and customers faced issues in online banking transactions.

In an interaction with Moneycontrol on March 16, five days after the regulator lifted the ban on lenders from offering new digital products, the bank’s group head of payments, consumer finance, and digital banking Parag Rao said the bank had used the interim period to “relook”, refurbish and upgrade many of its systems.

Data leakage counter-measures

Third-party service providers, who also work with banks on various financial services products, need to apply tighter data protection standards in order to avoid private data leakage.

Further, greater awareness among customers and the employee base of the bank is also required to prevent data breaches.

“The third-party service providers, which also works with banks these days for various purposes, there we need to tighten the control to ensure data leakage is addressed,” he said.

Further, HDFC Bank’s new mobile banking application is enabled with the “RASP” feature or Runtime Application Self Protection, which ensures that the bank application does not open if any remote access applications are already open in the background, tracking screen, or other data of the customer, the CISO said.

As per Amit Das, chief executive officer and co-founder at, there are significant challenges associated with losses that are caused by bad agents impersonating bank customers, carrying out phishing transactions for instance.

“In our experience, the balance between user experience and security at user front end, heightened security at infrastructure back end, and significant customer education is needed to improve data leakages,” Das said.
Piyush Shukla
first published: Aug 4, 2022 04:15 pm
ISO 27001 - BSI Assurance Mark