Hackers stole 16m customer records from Indian insurance giant's systems

Threat actors have put up for sale on the dark web as many as 16 million customer data records stolen from Indian insurance giant HDFC Life Insurance.

 

On November 25, India’s leading life insurance provider, HDFC Life, said in a filing with the Bombay Stock Exchange that it “received communication from an unknown source, who has shared certain data fields of our customers with us, with mala fide intent.”

 

The company said it has launched a detailed investigation and has engaged external information security experts to assess the root cause and take remedial actions.

 

“We value the data privacy of our customers and as an immediate measure, we have initiated an information security assessment and data log analysis,” reads the filing.

 

“We continue to investigate this further to assess potential impact and are making this disclosure as a matter of good governance. We will take utmost care to handle the concerns of our customers and take actions to safeguard their interest,” the company added.

 

While the insurance provider did not share details on who is responsible for the data security incident or the number of affected individuals, an unnamed threat actor recently claimed responsibility for hacking into the company’s internal network and listed HDFC Life as a victim on BreachForums.

 

 

The hacker claims to be in possession of 16 million customers’ personal data that includes policy numbers, names, mobile numbers, dates of birth, email addresses, home addresses, health status, insured amount, premium details, order invoice numbers, Permanent Account Numbers (PAN), bank details and more.

 

The perpetrator has asked for a ransom of 150,000 USDT and has given the insurance company a deadline of December 6 to pay the ransom, threatening to leak the stolen data if the demand isn’t met. They also gave buyers on BreachForums the option of buying the data in small batches starting from 1,00,000 entries.

 

HDFC Life is yet to comment on the claims of the threat actor. Also, the authenticity of these claims are yet to be verified.