From Kotak Life Insurance and IDFC First Bank to State Bank of India and Turtlemint, BFSI is under cyberattack

Sensitive data of these organisations has been compromised on the dark web, which can lead to larger damage if they don't consider strengthening their security infrastructure

By Naandika Tripathi Forbes India Staff

Published: Jul 14, 2023 01:55:59 PM IST

Updated: Jul 18, 2023 03:12:01 PM IST

Full Bio

For a long time, the Banking, financial services and insurance (BFSI) sector has been the chosen target for hackers. Imaging credits: Sushil Mhatre

On July 4, the Clop ransomware group released sensitive data of Kotak Mahindra Life Insurance on the dark web. The files contain details of their clients, unique registration numbers (URN), SAP login credentials, PhonePe records of customers, and data of financial partners and customers such as Capital Small Finance Bank, Hero FinCorp, Ummeed Housing Finance, and more, Rakesh Krishnan, a senior threat analyst at an IT company, told Forbes India.

There are about 13 different folders, and each contains over eight gigabytes of data. One of them has over 37 megabytes of data. The attackers have put out some parts of the records calling it Part 1. The complete dump is not out yet. The data breach at Kotak Life Insurance is a part of Clop's data theft and extortion campaign against MOVEit Transfer customers, which has apparently compromised hundreds of organisations. The attackers gained unauthorised access to its transfer databases. But it’s still unclear how many victims have paid ransom. The same ransomware group was responsible for stealing the sensitive data of Indiabulls Group in 2020.

Kotak Life Insurance is one of the fastest growing insurance companies in India and covers over 46 million lives nationwide. “There was a worldwide cyberattack on the MOVEit application exploiting a zero-day vulnerability. We, like many other established entities, also make use of the MOVEit Transfer product for the secure transfer of files for limited business purposes. This incident had a limited impact on our file transfer process. However, based on our review, we understand that our IT network has not been compromised and our operations and customer services have not been impacted by this incident,” a spokesperson of Kotak Mahindra Life Insurance Company Limited told Forbes India.

For a long time, the Banking, financial services and insurance (BFSI) sector has been the chosen target for hackers. But this year, many large public and private entities are on the radar of these attackers.

In April, another group of hackers posted a database sample on a Russian hacker forum that contained sensitive employee information of the IDFC First Bank. The threat actors posted that they intended to sell the full database and information for $500. They also provided a sample of 10 employees and their data to prove their claim. In July, the same data appeared on other forums for sale.

"As the attacker had waited for a long time (two months), the data might not have been purchased by anyone in the forum. Hence, they decided to leak it this month (July) to various forums for karma points, which improves the person’s profile on underground forums. This helps them build a reputation among others on underground forums to gain trust and validity for future leaks,” explains Krishnan.

Forbes India reviewed the data, which has about 57,000 records of IDFC First Bank’s past and current employees. The sensitive data includes mobile numbers, email addresses, employee names, employee date of joining, designation, username, corporate ID, and more. “As the data contains corporate email addresses and phone numbers of the employees, it is easy for attackers to draft spear phishing emails to target these email addresses to obtain more controls in the near future,” adds Krishnan. Forbes India reached out to IDFC First Bank but they declined to comment on the data breach.

Also Read: How safe is your personal data? Possible data breach of CoWIN portal raises questions

A similar data breach came to light a couple of days ago, when the data of more than 12,000 State Bank of India (SBI) employees was leaked on Telegram channels. The data included the employees’ personal information, such as their SBI passbooks, names, addresses, contact numbers, Aadhar cards, and PAN numbers. On July 8, a Telegram channel with the handle @sbi_data posted a file containing the personal information of SBI employees. The file was shared on other Telegram channels and on social media.

The scammers also claimed to have access to the financial details of millions of SBI customers. The threat actor has also claimed to have dumped the compromised data on publicly accessible leak forums, India Today reported. The threat actors posted screenshots of SBI account balances and recent transactions on a publicly accessible leak forum. The leaked data was put up for sale on dark web platforms.

The banking sector needs to be more attentive in terms of building its security infrastructure. Threats are always evolving, and the cybersecurity landscape is constantly changing. The stakes are high in the banking and financial industry since there are major funds at risk as well as the potential for a severe financial crisis if banks and other financial systems are hacked, explains cybersecurity expert Saumay Srivastava, who uncovered the massive SBI leak. “A crucial first step in protecting a bank’s infrastructure against cyber threats is creating and implementing a regulatory compliance strategy. Financial institutions have to comply with and may improve upon the basic security standards required by regulations in order to defend themselves against current cyber threats,” adds Srivastava who is also a threat intelligence analyst at Threat-tool.

Forbes India reached out to SBI, but they declined to make any comments.

On July 11, the data of Turtlemint customers was leaked on the dark web. The car insurance data of Turtlemint customers, which is India’s first personalised online-offline insurance platform, was put up for sale on an underground forum. Data related to their car insurance policies, including email ids, policy numbers, names, car details, and more, was available for purchase. Forbes India reviewed parts of the data. The scammers were selling 19,14,035 records of data for $4, and three people have bought them so far. This data can be used for fraud by pretending to be Turtlemint. The company declined to comment.

Experts say that the number of cyberattacks on these prominent companies in such a short span of time is alarming. The BFSI sector has long been aware of the threat posed by cyberattacks, but it may be more vulnerable now than ever before. Cybercriminals today are more sophisticated than ever, making the challenge of protecting sensitive data even more difficult. The repercussions of failing to protect this data can be severe, including financial losses, reputational damage, and legal liabilities. The threat actors are becoming increasingly refined in their methods, and businesses must prioritise cybersecurity measures to prevent cyber threats before they occur.

According to the State of Application Security Report by Indusface, India has seen a sharp increase in the number of cyberattacks in the first three months of 2023. Over 500 million cyberattacks were blocked in Q1 2023, out of a billion attacks globally. The report found that the BFSI sector in India was the target of most attacks, especially insurance. Within the Indian insurance sector, 11 percent of all websites faced an attack, as against the global average of 4 percent. Rather than distributed denial of service (DDoS) attacks like ransomware, 99 percent of the attacks are vulnerability attacks like probe attacks using botnets.

Why BFSI is the most targeted sector

Once attackers are able to compromise a bank or financial institution, they may use it to directly steal money, credit cards, KYC, or other data and sell this to other money laundering fraudsters who will use it to open fake accounts, explains Yash Kadakia, founder of Security Brigade, an information technology security solutions provider. Fraud and hacking are no longer the domain of some person sitting in the basement of their house. It’s a well-organised eco-system with a range of vendors and suppliers that are willing to buy and sell different pieces of information, he adds.

"The BFSI sector in India invests heavily in security, and most of the companies I know are following industry-leading best practises. But the unfortunate reality is that the BFSI companies have to do every single thing right, and the attacker needs to find a single mistake," says Kadakia.

The security awareness of digital banking is still low in the country. Naive customers like senior citizens, people from rural areas, and the uneducated are low-hanging fruit for consumer fraud, according to Harshil Doshi, director of sales (India and SAARC) of Securonix, a Texas-based organisation that utilises machine learning and artificial intelligence to detect advanced threats. BFSI also represents the country’s economic stability. Hence, adversary nation-states could target them to create an insecure perception of the country by attacking banks. “Take the HDFC bank and limited merger, for example, which was actualised on July 1 and elevated the bank to the fourth most valued bank in the world. It is definitely now on the radar of all the top threat actors in the world,” adds Doshi.

Also Read: How organisations can implement new protection strategies against increasing supply chain cyber attacks

The challenge that has arisen in this sector now is that significant organisations in the sector have looked to integrate third party providers to offer a set of capabilities to their addressable market spaces. These include vendors like fintech companies all the way from KYC to loan processing to verification to offering value-added services to rating models, explains Pankit Desai, co-founder and CEO of cybersecurity firm Sequretek.

“The recent breach in Lentra, let’s say, which then in turn impacted HDFC Bank through its HDB Financial Services service provider, or the same thing that happened with ICICI. The bank or institution itself was not breached. It’s the provider that gets hit, and it’s through the provider that the rest of the ecosystem gets hit. But the single biggest factor, in my opinion, is the supply chain attack that we are seeing now in the BFSI sector,” adds Desai.

Strengthening security infrastructure

Implementation of robust security monitoring solutions can enable real-time detection and response to evolving threats. Proactive monitoring of networks, systems, and applications can help identify vulnerabilities or anomalies promptly, suggests Rahul Sasi, chief executive of CloudSEK, a contextual artificial intelligence (AI) company that predicts cyber threats. Exploring emerging technologies like AI, machine learning (ML), and behaviour analytics can enhance the sector’s ability to detect and respond to sophisticated attacks.

“It is essential for the BFSI sector to stay updated on the latest security trends and collaborate with cybersecurity experts to proactively identify vulnerabilities and deploy effective countermeasures. Supply chain threats are going to be the next major attack vector, and every financial institution needs to keep a closer watch on its supply chain,” adds Sasi.

BFSI in India has the most stable and growth-fuelled outlook for the foreseeable future, owing to the country’s non-performing assets (NPA) management, credit growth, economic boom, and mass digitisation. “The last thing we need is a dent in that story due to cyberattacks. It’s the collective responsibility of all stakeholder holders to keep all of us and our banks safe," says Doshi of Securonix.