Data of around six lakh customers of HDB Financial Services may have been compromised in a hack on the HDFC Bank’s non-banking financial services (NBFC) arm, as per multiple reports.
YourStory was the first to report the data breach. Data privacy platform Privacy Affairs first tweeted about the alleged data leak on Twitter early on March 6. It stated: “Personal information of around 600,000 customers of the India-based HDFC Bank has allegedly been leaked by hackers on a popular cybercriminal forum.” (sic)
The tweet received a response from HDFC Bank’s official customer care Twitter account early on March 7, which said there was no data breach. The reply by HDFC Bank Cares read: “Hi, we wish to state that there is no data leak at HDFC Bank and our systems have not been breached or accessed in any unauthorised manner. We remain confident in our systems. However, we treat the matter of our customers’ data security with utmost seriousness and we continue to monitor bank systems and our ecosystems to ensure the highest standards of data security and safety.” (sic)
Hi, we wish to state that there is no data leak at HDFC Bank and our systems have not been breached or accessed in any unauthorised manner. We remain confident of our systems. However we treat the matter of our customers data security with utmost seriousness and we continue to
— HDFC Bank Cares (@HDFCBank_Cares) March 7, 2023
Privacy Affairs’s initial report was based on claims made by cybercriminal ‘kernelware’ on a popular hacker forum ‘Breached.vc’, where they provided 7.5 GB of customer data samples and demanded money for the full database.
The hacker claimed that the data was stolen between May 2022 and March 2023 and contained sensitive information such as customers' date of birth, full name, residential address, email address, phone number, loan information, credit scores, employment information and more. They claim to have 73 million entries.
Further, multiple customers took to social media on March 6 sharing that they received spam messages from the official HDFC Mobile Banking app and were unable to conduct online transactions. There has been a surge in spam bank text messages in the recent past, Business Standard reported.
What do the companies say?
However, HDFC Bank has continued to deny the leak and in a media statement said, “There is no data leak at HDFC Bank and our systems have not been breached or accessed in any unauthorised manner. However, we treat the matter of our customers’ data security with utmost seriousness and we continue to monitor bank systems and the ecosystem to ensure the highest standards of data security and safety.”
On the other hand, HDB Financial told Mint there was “an incident at one of our service providers, who process some of our customer information”, adding that “immediate steps” were taken to secure the service provider’s system and prevent any further unauthorised access.
“In addition, we are conducting a thorough review of the security measures adopted by the service provider to prevent similar incidents from happening in the future. We have also notified the regulator and CERT-IN and we are working with them to investigate this incident to the fullest,” HDB Financial said.
While HDB Financial did not name the service provider, according to a report in Mint the company in question is Lentra.ai – a loan aggregate company that received early investment from HDFC Bank.
A spokesperson of Lentra told Moneycontrol that some reports have surfaced "about an incident of data leak with one of our clients".
"While the investigation is ongoing, preliminary analysis shows that only a minor part of single client reporting data has been compromised, and does not include customer banking data. We want to state that this is due to unauthorized access and there is no breach on our lending platform, nor ransomware or malware. To resolve the leak, we are working with regulators as well as the cyber police. Our commitment to ensuring data security on our platform is unwavering," the spokesperson added.
HDB Financial Services
HDB Financial Services is the NBFC-arm of HDFC Bank, which offers business and retail loans for gold and consumer durables. Its assets under management (AUM) as of March 2022 were at Rs 61,444 crore. Around 43 percent of its AUM is exposed to commercial vehicles and construction equipment loans.
The company reported a jump in post-tax net at Rs 441.3 crore for June 2022 quarter and had less than 5 percent of bad assets as of March 2022 as per a CRISIL note.