Amid a spate of phishing attacks on HDFC Bank customers, a hacker has allegedly uploaded volumes of customer loan data (7.5 GB) of HDB Financial Services on a dark web forum.
The HDFC customers have taken to social media to describe the phishing SMSes they have received since the last week of February 2023.
On Monday, a hacker allegedly stole customer data containing 73 million entries, such as people’s names, date of birth, age, telephone numbers, emails, marriage status, gender, residential addresses, employment information, etc., Mint reported.
The leaked data also contains loan application information, transaction method, fees, credit score, dealer name, transaction logs, general asset logs, and loyalty card numbers.
According to the report, the data also contained details like whether the loan was processed or rejected. Meanwhile, to assuage people’s fears, the HDFC Bank said: “There is no data leak at HDFC Bank; our systems have not been breached or accessed in any unauthorised manner.”
HDB Financial Services has confirmed the incident at “one of our service providers who process some of our customer information.”
HDFC Bank customers, in the meantime, have asked online how the fraudsters obtained their contact information. Cybercriminals use “phishing bank SMS” to scare people into updating their know-your-customer (KYC) or PAN card details by clicking on a link. They then hack their phones.
It has been discovered that the leaked data allegedly belonged to HDB Financial Services’ two-wheeler and consumer durable loans between May 2022 and February 2023. The company said: “We have taken immediate steps to secure the service provider’s system to prevent further unauthorized access. In addition, we are conducting a thorough review of the security measures adopted by the service provider to prevent similar incidents from happening in the future.”
However, the NBFC did not reveal who the service provider was. According to industry sources, loan aggregation company, Lentra.ai, was involved in the leak. HDB Financial said that it notified the regulator and CERT-IN for a full investigation into the breach.
