In a major cyber-attack on Monday, March 6, 2023, 30 GB of customer data from HDB Financial Services, the non-banking lending arm of HDFC Bank, was leaked on a hacker portal.

From early reports, it was known that a hacker with the alias 'Kernelware' posted 7.5 GB of customer data to the hacker forum 'Breached.vc’, potentially belonging to HDB Financial Services, a subsidiary of India's largest private bank, HDFC Bank. The data available on the dark web looked like customer loan data, which also included details such as whether the loan was processed or rejected and other miscellaneous information.

During the early hours after the attack, it was reported that HDFC Bank had been breached, but later, after clarifications and initial security checks, it was told that HDB Financial Services, which lends money, had been hacked.

It was told to Mint by an HDFC spokesperson that there is no data leak at HDFC Bank and their systems have not been breached or accessed in any unauthorised manner, but on the other hand, HDB Financial has confirmed that there was an incident of data breach at one of their service providers who processes some of their customer information.

However, by looking at the data samples on the web, it was observed that the data belonged to HDB Financial Services, an NBFC arm of HDFC Bank. And, the leaked data was of HDB’s two-wheeler and consumer durable loans from the period between May 2022 and February 2023. 

According to sources, it was told that the internal security teams have taken immediate steps to secure the service provider’s system to prevent any further unauthorised access. In addition, they are conducting a thorough review of the security measures adopted by the service provider to prevent similar incidents from happening in the future.

The leak contains the following information belonging to the HDFC Bank users

• Full names

• Date of birth
• Age
• Phone Numbers
• Personal Email
• Work Email
• Marital Status
• Gender,
• Residence Address
• Permanent Address
• Pincodes
• City
• State
• Employment Information
• Loan Information
• Transaction methods
• Credit Scores
• Experian Scores
• Loyalty Card Numbers
• and other miscellaneous things.

Here are some images of the data that was leaked and disclosed in public domain ( Disclaimer :- The images are blurred to maintain the privacy.)

The incident was immediately reported to the Indian Computer Emergency Response Team, or CERT-IN, which functions under the Ministry of Electronics and Information Technology and is the nodal agency dealing with cyber security threats.

For your own security, we would advise you to keep a check on any malicious activity in your account, change online passwords, and always keep two factor authentication turned on to protect your data, as this will not make you invincible but will minimise the impact on you.