Cyber Incident Victim: Fullerton India Credit Company Limited

On or around April 24, 2023, Fullerton India Credit Company Limited, a major Indian non-banking financial company, fell victim to a cyber incident attributed to the LockBit 3.0 ransomware group. The threat actors claimed responsibility for the attack on their data leak site, threatening to publicly release over 600 gigabytes of the company's sensitive financial data unless a ransom payment of $3 million, or approximately 24 crore Indian rupees, was made. The group set a deadline for this payment, with the data scheduled to be published on April 29 if their demands were not met. As part of their extortion tactics, LockBit also offered the data for sale to the company's competitors or any other interested party for the same amount.

The data allegedly exfiltrated by the attackers was described as highly sensitive and comprehensive. According to claims made by LockBit and screenshots provided to media outlets by a threat intelligence provider, the compromised information included critical financial documents such as loan agreements, bank agreements, account statuses, and records of international transfers. A significant volume of personal customer information was also involved. The specific data types cited included customer IDs, bank account numbers along with their opening dates, branch codes, and detailed financial transaction records including withdrawals and deposits through systems like Real Time Gross Settlement (RTGS) and National Electronic Funds Transfer (NEFT). Furthermore, the sample dataset indicated that banking credit transactions and CIBIL reports of borrowers were also part of the stolen data cache.

In response to the incident, Fullerton India issued a formal statement on April 24, 2023, confirming it had experienced a cybersecurity event. The company stated that upon identifying the issue, it made the decision to operate its systems offline as a precautionary measure to contain the threat and prevent further damage. This defensive action had a tangible impact on its customer base, as some users reported on social media platforms like Twitter that they were unable to log in to their accounts or access services during this period of offline operations. The company is headquartered in Mumbai and operates extensively across India with 699 branches, providing secured and unsecured loans to individuals, retail customers, and Micro-Small and Medium Enterprises, serving approximately 2.1 million customers.

Containment and remediation efforts were initiated swiftly. Fullerton India reported that it engaged with top global cybersecurity experts to address the malware incident and to assist in significantly enhancing its security environment for future expansion. By the date of their public announcement, April 24, the company stated it had commenced the resumption of services for its customers, indicating that online operations were being restored after the deliberate shutdown. The company's public communication emphasized its commitment to continue serving its customers in its core business segments and to expanding its footprint in semi-urban and rural geographies, suggesting a focus on business continuity and recovery.

A critical aspect of the incident response involved stakeholder communication. Fullerton India acknowledged that it had informed relevant stakeholders of the cyber incident, though the specific list of notified parties was not detailed in their public release. Notably, while the company confirmed addressing the malware and resuming operations, it remained silent on the specific claims regarding data theft. Media queries about the veracity of LockBit's claims to have stolen 600 GB of data, and the nature of that data, went unanswered in the company's official statement. The company did not confirm whether any sensitive information was actually exfiltrated from its systems.

The LockBit 3.0 group responsible for the attack is identified as a prolific ransomware-as-a-service operation. According to a report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), LockBit 3.0, also referred to as "LockBit Black," is a more modular and evasive version than its predecessors. The group typically gains initial access to victim networks through various methods including remote desktop protocol (RDP) exploitation, drive-by compromises, phishing campaigns, the abuse of valid accounts, and the exploitation of public-facing applications. Lateral movement within a compromised network is often achieved using a preconfigured list of hardcoded credentials or by leveraging a compromised local account with elevated privileges. The group was also reported to be actively recruiting new members at the time, highlighting its ongoing operational activity.

The Fullerton India incident was not an isolated event for the LockBit group during this period. In its latest wave of attacks, the group also claimed to have stolen one terabyte of data from Nagase & Co. Ltd., a Kyoto-based chemical reading firm. Other entities reportedly targeted included several websites such as ultimateimageprinting[.]com, abro[.]se, which led to the compromise of 136 GB of data, and GoForCloud[.]com. This demonstrates the broad and widespread targeting strategy employed by the ransomware group across different sectors and geographies.

The potential consequences of the incident for Fullerton India and its customers were significant, given the highly sensitive nature of the data allegedly stolen. The compromise of personal identifiable information, detailed financial records, and credit reports posed substantial risks of financial fraud and identity theft for the company's vast customer base. For the company itself, the operational disruption caused by the necessary shift to offline operations represented a direct impact on business activities and customer service. The reputational damage associated with a major data breach and the attendant publicity also presented a considerable challenge. The full scope of these impacts, however, remains unclear from the publicly available information, as the company did not disclose further details on the extent of the breach or the number of individuals potentially affected. The incident underscores the persistent threat that sophisticated ransomware groups pose to large financial institutions and the critical importance of robust cybersecurity measures.