[YS Exclusive] HDB Financial Services customer data leaked online

In a major case of cyber attack and data breach, almost 30 GB of customer data belonging to HDB Financial Services, the non-banking lending arm of HDFC Bank, was leaked online on a hacker forum on March 6.

The data, leaked from one of the loan service providers of HDB Financial Services, is estimated to contain around 73 million entries and is from the period between May 2022 and February 2023, said two people who have seen the data dump.

YourStory has seen a sample of the data, which contains consumer information pertaining to two categories—consumer durable loans and two-wheeler loans.

YourStory could not ascertain the exact number of customers whose data have been leaked, given that there could be multiple entries on the same person.

"We understand that there was an incident at one of our service providers who processes some of our customer information," HDB Financial Services said in a statement responding to queries from YourStory.

"We have taken immediate steps to secure the service provider’s system to prevent any further unauthorised access. In addition, we are conducting a thorough review of the security measures adopted by the service provider to prevent similar incidents from happening in the future. We have also notified the regulator and CERT-IN and we are working with them to investigate this incident to the fullest," the company said. 

The Indian Computer Emergency Response Team, or CERT-IN, functions under the Ministry of Electronics and Information Technology and is the nodal agency dealing with cyber security threats.

“If you look at the data dump, there is information around customers’ application, whether it was processed or rejected, and the loan sanction amount,” said one of the people mentioned earlier.

For instance, a particular data set, which YourStory has seen, contains details about a TVS scooter being purchased by a customer in Meerut, who was sanctioned a loan of Rs 1,35,000. The mobile number and the name of the customer is also available.

There is also data on a consumer looking to purchase a Vivo V5 smartphone and he was sanctioned Rs 35,999 (the price of the device in India). The name of the customer, his location, the dealer’s name, and the purchase date are all available in the data dump.

The data that has been released mainly pertains to customers applying for credit, their credit scores being checked, and the status of their loans (whether it has been approved or not).

“Typically, such attacks are followed by ransom demands from hackers; it is not clear if such a demand was made to the NBFC,” said the other person mentioned in the story.

In 2020, Indiabulls Group faced a similar attack when a chunk of its customer data was compromised.

Some media reports indicate that the attack was aimed at the private sector lender. However, HDFC Bank has clarified that its systems remain safe.

“We wish to state that there is no data leak at HDFC Bank and our systems have not been breached or accessed in any unauthorised manner. We remain confident in our systems,” an HDFC Bank spokesperson said after initial news reports pointed towards a breach at the bank's systems.

“However, we treat the matter of our customers’ data security with utmost seriousness and we continue to monitor bank systems and the ecosystem to ensure the highest standards of data security and safety.”

HDB Financial Services offers business loans and retail loans for gold and consumer durables. Its AUM stood at Rs 61,444 crore as of March 2022; 43% of the AUM is exposed to commercial vehicle and construction equipment loans.

The NBFC had bad assets of less than 5% as of March 2022, said a Crisil note from July last year.

Disclaimer: This article has been updated to include HDB Financial Services' response.

(Feature Image: Chetan Singh)