Piramal Group denies data breach claims amid hacker allegations

Piramal Group, an Indian multinational conglomerate operating in pharma, financial services, and real estate, has denied claims of a data breach after a hacker alleged selling data related to thousands of its current and former employees. The hacker posted some of the purported data, including full names and email addresses, on a known cybercrime forum last week.

The hacker’s listing on the forum, seen by TechCrunch, claimed to possess a substantial amount of data from Piramal Group, offering it for an undisclosed amount. TechCrunch obtained a larger sample from the threat actor containing over 10,000 entries and verified some of these entries using a job listing portal, confirming their relation to current and former employees of Piramal Group.

Piramal Group, headquartered in Mumbai with over 10,000 employees across 30 countries, categorically denied the breach claims. “After a thorough investigation, we can confirm that there has been no data breach incident at Piramal Group. Our IT and cybersecurity teams have rigorously examined our systems, and there is no evidence to support the claim that any information or files of this nature exist on our servers,” said spokesperson Mihir Mukherjee in an emailed statement to TechCrunch.

Mukherjee suggested that the data could have originated from a third-party platform. Piramal later identified Mailinator, a service for testing email and SMS workflows, as the potential data source. However, Mailinator did not immediately respond to a request for comment.

Piramal’s spokesperson declined to elaborate on the methods used to determine the absence of a breach, including whether the company possesses technical capabilities to detect data exfiltration. Despite the hacker’s claims, Mukherjee stated that no Piramal information, such as employee email IDs, was found in the sample data provided by TechCrunch.

The company also received an inquiry from India’s Computer Emergency Response Team (CERT-In) regarding the incident. Piramal confirmed to CERT-In that no breach had occurred on their systems, and no information was compromised.