The recent alleged HDB Financial Services data breach has come in at a time when breaches and hacks are assuming a common place stature. A bank data breach continues to raise brows – and understandably so since the BFSI is a highly regulated domain.

Here are some insights into the alleged breach, brought to you exclusively by ETCIO

On March 6, 2023, a Dark Web monitoring company identified a post on BreachForums, where the threat actor kernel ware leaked the database allegedly belonging to HDFC Bank. While TA quoted the impacted organization as HDFC Bank, our overall analysis indicates that the leaked data was stolen from its subsidiary, HDB Financial Services Limited (HDBFS). It is worth mentioning that our research has found its association with data leak by the threat actor being tracked as CRIL-TA73.

Upon further verification, we found that a few of the datasets from the subject leak were consistent with the records leaked by the threat actor tracked as CRILTA73, which were stolen from a subdomain hosted by the GoNoGo service portal created by Lentra Pvt Ltd. This led us to believe with a high degree of confidence that the TA kernel ware shares a close association with CRIL-TA73 and likely exploited the aforementioned subdomain behind the GoNoGo portal by Lentra, exposing the subject customer data from HDBFS,” a source has told ETCIO.

This claim could not be independently verified.

So, the data breach that has now become the talk of the town is not of HDFC Bank but of a subsidiary. Many people are even relating the recent KYC scam with this data breach.

“I have downloaded the 8 GB of database and all data is only from HDB Financial services. Now let’s assume, this is just a partial data because there is data of other banks too. So according to me there could be two scenarios:

1. Only Data of HDB Financial services is breached from HDB Financial services portal.
2. Data of all banks are breached via Lentra. (I have no info on this). In this case, Lentra must provide a clarification,” says Ritesh Bhatia, a cybercrime and forensics investigator and a cybersecurity and data privacy consultant.

The certified fraud examiner goes on to provide proof of his statement.

“You see every file name begins or ends with HDB,” adds Bhatia.

“This is another case which we were discussing as part of the CISO responsibilities. So not just our systems, we also need to make sure every third party software we use or every vendor product we integrate with our system also have to follow the same standard of security and vulnerability measures. We also need to make sure our Dev, SIT and UAT environments also go through similar types of assessments,” says Sunil Mishra, CIO/CTO, Kotak Securities.

What does the HDFC Bank say?

“There is no leak with the HDFC bank . The leak appears to be with the third party processing loans associated with our subsidiary,” Sameer Ratolikar, CISO, HDFC Bank has told ETCIO.

“I believe that HDFC Bank and it’s sub HDBFS are legally separate companies. Therefore, their authentication and authorisation services would also be on different domains and networks even if managed by a common vendor,” says Sudin Baraokar, Global IT and Innovation Advisor.

The final verdict

“The data is definitely not of HDFC Bank but of its subsidiary HDB Financial Services and the trending kyc messages scam has nothing to do with this breach. It’s merely a coincidence. We also need to wait and watch if other financial institutions’ data have been breached and this can be cleared by Lentra,” adds Bhatia.

Other sinister aspects to the data breach

“Lentra AI was held for ransom by the hackers, but the threat actors leaked the data anyway,” says Rahul Sasi, co-founder and CEO of CloudSEK.

This raises important questions and scenarios:

1. Did Lentra pay the hackers before the data was leaked?
2. Why did the hackers release the data if they got the ransom?
3. Worst case: Hackers leaked the data to show Lentra that they had it in their control and to drive home the point that they should pay the ransom. If that is the case, there may be other organizations’ data with them that may be waiting to get leaked.

Sasi agrees with this assumption and also believes that the hackers have more data with them that they may release later.