Data of 6 lakh customers of HDFC’s NBFC arm compromised in hack

Data privacy platform Privacy Affairs first tweeted about the alleged data leak on Twitter early on March 6. It stated: “Personal information of around 600,000 customers of the India-based HDFC Bank has allegedly been leaked by hackers on a popular cybercriminal forum.” (sic)

The NBFC arm of HDFC Bank in a statement said the leak happened at one service provider and it has taken steps to prevent further unauthorised access.

The hacker said data was stolen between May 2022 and March 2023 and contains sensitive information such as customers’ date of birth, full name, residential address, email address, phone number, loan information, credit scores, employment information and more. They claim to have 73 million entries.

Privacy Affairs’s initial report was based on claims made by cybercriminal ‘kernelware’ on a popular hacker forum ‘’, where they provided 7.5 GB of customer data samples and demanded money for the full database.

Further, multiple customers took to social media on March 6 sharing that they received spam messages from the official HDFC Mobile Banking app and were unable to conduct online transactions. 

There has been a surge in spam bank text messages in the recent past, Business Standard reported.

However, HDFC Bank has continued to deny the leak and in a media statement said, 

“There is no data leak at HDFC Bank and our systems have not been breached or accessed in any unauthorised manner. However, we treat the matter of our customers’ data security with utmost seriousness and we continue to monitor bank systems and the ecosystem to ensure the highest standards of data security and safety.”

On the other hand, HDB Financial told Mint there was “an incident at one of our service providers, who process some of our customer information”, adding that “immediate steps” were taken to secure the service provider’s system and prevent any further unauthorised access.

“In addition, we are conducting a thorough review of the security measures adopted by the service provider to prevent similar incidents from happening in the future. We have also notified the regulator and CERT-IN and we are working with them to investigate this incident to the fullest,” HDB Financial said.

While HDB Financial did not name the service provider, according to a report in Mint the company in question is – a loan aggregate company that received early investment from HDFC Bank.

HDB Financial Services is the NBFC-arm of HDFC Bank, which offers business and retail loans for gold and consumer durables. Its assets under management (AUM) as of March 2022 were at Rs 61,444 crore. Around 43 percent of its AUM is exposed to commercial vehicles and construction equipment loans.

The company reported a jump in post-tax net at Rs 441.3 crore for June 2022 quarter and had less than 5 percent of bad assets as of March 2022 as per a CRISIL note.