On December 3, Rohit Kulkarni (name changed on request), a 38-year-old New Delhi-based marketing executive, got a text message.
The message read: “Dear Rohit, Congratulations!! Your PAN <his actual 10-digit PAN unmasked> is eligible for a pre-approved personal loan of Rs 5 lakh from NAVI. Apply now (followed by a link).”
At first, Kulkarni thought it was spam—someone trying to sell something. No surprises there; he was used to such unsolicited messages. Then, Kulkarni saw something unusual in the message: his permanent account number (PAN). And it wasn’t even masked.
“How can the company send an SMS so blatantly to random individuals with the full PAN card details in it and unmasked?” a stunned Kulkarni asked, noting that even the income tax department sends messages with PAN details masked.Several others too complained on Twitter of being approached by Navi in a similar fashion, getting text messages with their unmasked PAN details.
So now Navi has my pan card details and phone number. Wonder how did they manage this stunt? Is this navi the same startup that belongs to the poster boy of internet in india till some years ago?
— Sunil Nair (@spuriousmallu) December 3, 2021
After a backlash on social media, Navi, a digital lending company, stopped sending such text messages, a senior industry official privy to the matter said, asking not to be identified.
Navi did not immediately respond to a Moneycontrol query on where it got the PAN and phone data.
To be sure, Navi isn’t the first company to get hold of mobile phone numbers and PAN data. However, the aggressive selling tactics adopted by some firms once again turn the spotlight on the vulnerability of users’ personal data.
Several real estate companies, share brokers and credit card companies, among others, constantly solicit potential customers with text messages or calls. Such companies cross-sell products, offer loans at low interest rates and dangle discounts or cashback schemes to get customers onboard – a practice typically deployed by buy-now-pay-later firms.
However, what appears to have irked those approached by Navi was the leakage of PAN, which was displayed in full in the text messages. The question is: how safe is personal data and what can be done to protect it?
Navi Technologies, a new-age fintech company, was started by former Flipkart cofounder Sachin Bansal and his college friend Ankit Agarwal in 2018. It owns Navi Mutual Fund, renamed after acquiring Essel Mutual Fund acquired from Subhash Chandra’s Essel Group in February 2021. Its other businesses include lending, general insurance and microfinance. Navi has also applied for a universal banking licence.
Elaborating on its fintech ambitions, Bansal had said in an earlier interview with Moneycontrol that Navi aims to give out loans in under 20 minutes.
Kulkarni said he doesn’t recall registering for any service that Navi provides, where he may have shared his PAN details. Neither did he install the Navi app on his smartphone. Yet, Navi has his correct PAN, name and mobile number.
Other users who complained on Twitter – Moneycontrol went through some of them – also claimed they didn’t avail of any Navi service where they might have shared similar data. Many said they had not even downloaded Navi’s app.
“Navi might have sourced the personal information from a third party,” said the cofounder of a digital lending firm on condition of anonymity. “Nowadays, the personal information of customers is easily available and can be accessed easily.”
He added that the fintech firm should not use acquired databases for marketing campaigns that offer personal loans. The use of personal details of individuals should be restricted to internal analysis, he said.
Kulkarni suspects his personal information might have been leaked when he applied for a credit score report through a private bank website in mid-November.
“The credit bureau has my phone number, name, PAN card and other details to access my loan eligibility. So, a data leakage might have happened between a private banker and a credit bureau,” he said.
However, an industry official said it was unlikely that a credit bureau would share personal information with other entities.
“Nobody can use consumer data without his or her knowledge or consent. A credit bureau doesn’t share the personal data of an individual with a third party, when he or she applies for a credit report,” said the country head of a credit bureau on condition of anonymity.
Loan aggregator websites and fintech firms such as BankBazaar, PaisaBazaar and CRED give out credit score reports at no cost throughout the year. It’s important to check their terms and conditions before applying for credit reports.
Some credit bureaus ask for an applicant’s consent to share updates on loan eligibility and loan offers from partner banks or non-banking finance companies. These banks and NBFCs then call the applicants and try to persuade them to borrow by offering low interest rates.
However, an unnecessary loan is just that: a loan. That apart, personal data is shared – even with companies that applicants have nothing to do with. Avoid giving such consent to loan aggregators and fintech firms.
Reduce digital footprints
Often, people leave their digital footprints and personal details online, which help fintech lenders to assess their loan eligibility and approach them with loan offers.
“There is a possibility you would have put your details on shopping websites or bought consumer electronics on equated monthly instalment (EMI) during the festive season from a retail shop. While shopping on EMI, you are giving your PAN card and personal details to process your purchase into EMI,” said Raj Khosla, founder of MyMoneyMantra.Fintech lenders could then source the data from shopping websites and retailers to create their own database. Reducing one’s digital footprints as much as possible will minimise the possibility of personal data being leaked and information being misused.