Intelliroot's Analysis of HDFC bank data leak

The News

HDFC Bank subsidiary HDBFS suffers a major data breach: sensitive customer data is compromised.

On March 6, 2023, HDB Financial Services Limited, a subsidiary of HDFC Bank, suffered a data breach that compromised the personal identifiable information (PII) of its users, including sensitive financial information. The breach was attributed to a threat actor known as "kernelware", who initially posted about the alleged database leak on BreachForums. The leaked data, which amounted to 7.5 GB, contained over 72 million entries and was subsequently posted on the hacker forum "Breached forum".

Our Analysis

Analysis of the compromised database revealed that the files in the database were logged from May 2022 until February 2023. The database contained two folders, CD_rolling and TW_rolling, which contained log files with the detailed credit information of Digital Product Loan (DPL), Consumer Durable Loan (CDL), and Two-Wheeler Loan (TW) applicants. The compromised records were found to pertain to the customers of HDB Financial Services Ltd.

Fig 2: CD Rolling (breached.vc)

Fig 3: TW Rolling (breached.vc)

What does the leaked data contain ?

The compromised database leak contained PII of users, including full names, date-of-birth, age, phone number, email address, marriage status, gender, address, employment information, application information, loan information, transaction methods, branch name, credits scores, experian scores, dealer names, transaction logs, transaction remarks, and LOS IDs.

Fig 4: Leaked Details (breached.vc)

Understanding the Threat Actor

The threat actor (TA), kernelware, has been a member of BreachForums since August 2022 and has posted over 50 threads on the forum. The threat actor is also part of an affiliated group, named as CyberNiggers.

In addition to the leaked data, the TA was also involved in the data leak, allegedly belonging to Taiwan-based technology company, Acer Inc. in mid-February 2023 and resulted in the theft of a vast amount of sensitive information, totalling 160GB of 655 directories and 2869 files.

This breach has the potential to cause significant harm to the customers of HDB Financial Services Limited, as their personal and financial information has been compromised. It is recommended that the company take immediate action to mitigate the damage caused by this breach and to ensure the security of their systems going forward.

Remediation Steps

The following remediation steps are recommended to mitigate the damage caused by the data breach:

Notify Affected Customers: HDB Financial Services Limited should inform all affected customers of the data breach and provide resources to protect themselves from potential identity theft and fraud. Customers should also be advised to monitor their financial accounts for any suspicious activity.

Conduct a Forensic Investigation: HDB Financial Services Limited should conduct a forensic investigation to determine the extent of the data breach and identify any vulnerabilities in their systems that may have contributed to the breach.

Enhance Cybersecurity Measures: The company should review and enhance its cybersecurity measures to prevent future data breaches. This may include implementing multi-factor authentication, regularly updating and patching software, and conducting regular security audits.

Review Third-Party Vendor Relationships: HDB Financial Services Limited should review its third-party vendor relationships and ensure that all vendors have appropriate cybersecurity measures in place.

Additionally, affected customers should be notified and provided with resources to protect themselves from potential identity theft and fraud.