Between November 19 and November 21, 2024, an individual using the email address [email protected] and WhatsApp allegedly stole customer data belonging to HDFC Life Insurance Company Ltd. The stolen information reportedly included policy numbers, names, addresses, mobile numbers, and other sensitive details. The perpetrator emailed the stolen data to the company, demanding a ransom and threatening to release or sell the information online if their demands were not met.
A cybercrime case has been registered against an unknown person under Sections 308(3) and 351(4) of the BNS Act, and Sections 43(b), 43(i), 43(a), and 66 of the IT Act at the South Cyber Police Station.
According to the police, the complainant, a 44-year-old Associate Vice President (Legal) at HDFC Life Insurance Company Ltd., based in Apollo Mills Compound, NM Joshi Marg, Mahalaxmi, stated that the first threatening email was received on November 19 at 4:54 PM on the company’s official email IDs.
The email read: “A large amount of your customer data has been leaked. I have given you 2 days. If I don’t receive any negotiation topics by tomorrow, I will sell the data. If you fail to contact the leader in time, you will bear the consequences yourself.”
The email included an attachment containing details of 99 customer policies. While the company’s risk team was investigating the matter, a second email was received on November 20 at 11:51 AM. The sender escalated the threat, stating: “Warning again! If you choose to negotiate, it goes without saying that this will prevent you from suffering losses of hundreds of billions of rupees in terms of customer data leakage, reputation, stock market, and regulatory pressure.”
In response, an HDFC Life official emailed the sender, requesting a phone discussion. Subsequently, on November 21, the official received a WhatsApp message from the perpetrator, which stated: “How long will it take? You still don’t have anyone to discuss this matter with me. Don’t you know how serious the consequences of a data leak are?”
Believing that critical customer data had been compromised, the complainant approached the Cyber Police Station. The extortionist demanded negotiations and threatened to leak the stolen data online if the demands were unmet. The police have since initiated an investigation.
When contacted by FPJ, HDFC Life issued a statement, which was also shared with stock exchanges: “We wish to inform that we have received communication from an unknown source, who has shared certain data fields of our customers with us, with mala fide intent. We value the data privacy of our customers and, as an immediate measure, have initiated an information security assessment and data log analysis. A detailed investigation is underway in consultation with information security experts to assess the root cause and take remedial action as necessary. We will take utmost care to handle customer concerns and safeguard their interests.”
The company assured customers that they are taking the issue seriously and working to mitigate potential risks.
