HDB Financial Services, a lending service owned by India’s largest private sector bank, HDFC, suffered a data breach affecting over half a million customers.
Hacker “kernelware” posted a spreadsheet with 73 million entries allegedly containing customer data including emails, marriage status, gender and credit scores, dating from May 2022 through February 2023.
Privacy Affairs estimates the leak affects around 600,000 customers. HDFC Bank denied a leak initially, but later admitted to finding a data breach at one of its service providers that processes customer information, which outsources work to hundreds of vendors.
Privacy Affairs flagged Twitter messages from Indian users reporting failed transfers and scam messages, although ISMG could not verify their accuracy.
Multiple fake HDFC Twitter accounts, some of which are bots, are responding to customer complaints in attempts to further scam customers. HDFC_HDFC and HDFCBan82738223 are among the fake accounts, and Twitter suspended at least one of them.
Venkata Satish Guttula, director of security at Rediff.com India, suggested the financial sector should conduct third-party risk assessments and develop proactive strategies to manage the risk of vendor breaches.
Guttula said third-party vendors bring many benefits, including cost savings, expertise, and flexibility, but also introduce significant risks, such as data breaches, compliance violations, reputational damage, and legal liabilities.
