Cyber Incident Victim: Kotak Life Insurance

On or around July 4, 2023, the Clop ransomware group released sensitive data belonging to Kotak Mahindra Life Insurance Company on the dark web. This incident was part of a larger data theft and extortion campaign conducted by the same group against users of the MOVEit Transfer application, which had compromised hundreds of organizations globally. The attackers gained unauthorized access to the file transfer databases by exploiting a zero-day vulnerability within the MOVEit application. The released data comprised numerous files containing extensive client information, including unique registration numbers (URN), SAP login credentials, and PhonePe records of customers. Furthermore, the breach exposed data related to Kotak Life Insurance's financial partners, such as Capital Small Finance Bank, Hero FinCorp, and Ummeed Housing Finance. The published data was organized into approximately thirteen different folders, with each containing over eight gigabytes of data; one specific folder was noted to have over thirty-seven megabytes. The attackers labeled this initial release as "Part 1," indicating that the complete data dump had not yet been published at the time of the report.

In its official response, a spokesperson for Kotak Mahindra Life Insurance Company Limited confirmed the company's use of the MOVEit Transfer product for secure file transfers for limited business purposes. The company acknowledged the worldwide cyberattack on the application but stated the incident had a limited impact on its file transfer process. Based on their internal review, they asserted that their core IT network had not been compromised and that their operations and customer services remained unaffected. Kotak Life Insurance is a significant entity in the Indian insurance sector, covering over forty-six million lives nationwide, which underscores the potential scale and sensitivity of the compromised information. The Clop group has a history of such attacks, having been responsible for stealing sensitive data from the Indiabulls Group in 2020. It remained unclear from the available information how many victims of this broader campaign had paid a ransom to the threat actors.

This incident involving Kotak Life Insurance occurred within a concerning pattern of cyberattacks targeting the Indian Banking, Financial Services, and Insurance (BFSI) sector throughout 2023. Just a few months prior, in April, a different group of hackers posted a sample database containing sensitive employee information from IDFC First Bank on a Russian hacker forum. The threat actors announced their intention to sell the full database for five hundred dollars and provided a sample of ten employees' data to validate their claim. By July, the same dataset appeared for sale on other forums. A review of the data indicated it contained about fifty-seven thousand records of both past and current employees, including mobile numbers, email addresses, employee names, dates of joining, designations, usernames, and corporate IDs. A senior threat analyst suggested that the attackers likely waited two months before leaking the data more broadly on various forums to gain "karma points," which helps build their reputation and validity within underground communities for future leaks.

Shortly after the Kotak breach became public, another significant incident was reported involving the State Bank of India (SBI). On July 8, a Telegram channel using the handle @sbi_data posted a file containing the personal information of more than twelve thousand SBI employees. This file was subsequently shared across other Telegram channels and social media platforms. The leaked data was highly sensitive, including employees' SBI passbooks, names, addresses, contact numbers, Aadhar cards, and PAN numbers. The scammers further claimed to have access to the financial details of millions of SBI customers and supported their claims by posting screenshots of account balances and recent transactions on a publicly accessible leak forum. The compromised data was also put up for sale on dark web platforms. The bank declined to comment on the breach when approached.

The targeting of the BFSI sector continued with an attack on Turtlemint, India’s first personalized online-offline insurance platform. On July 11, customer data related to car insurance policies was leaked on the dark web and put up for sale on an underground forum. The data available for purchase included email IDs, policy numbers, names, and car details. The threat actors were offering for sale a total of 1,914,035 records for a price of four dollars, and it was reported that three individuals had already purchased the data. This type of information could be readily used to perpetrate fraud by impersonating the company. Turtlemint also declined to provide a comment on the incident.

According to a report by Indusface, India experienced a sharp increase in cyberattacks during the first quarter of 2023, with over five hundred million attacks blocked out of a global total of one billion. This report identified the BFSI sector, and particularly insurance, as the most targeted industry within India. Eleven percent of all websites in the Indian insurance sector faced an attack, a figure significantly higher than the global average of four percent. The nature of these attacks was also notable, with ninety-nine percent being vulnerability or probe attacks utilizing botnets, rather than distributed denial-of-service (DDoS) or ransomware attacks. Experts within the cybersecurity field explain that the BFSI sector is a prime target because a successful compromise can lead to direct theft of money, credit cards, KYC data, and other sensitive information. This data is highly valuable and can be sold to other fraudsters for activities like opening fake accounts and money laundering. The motivation extends beyond financial gain, as nation-state adversaries may target prominent financial institutions to undermine the perception of a country's economic stability.

A significant challenge highlighted by these incidents is the evolving nature of threats through supply chain attacks. Major organizations increasingly integrate third-party providers, such as fintech companies, for services ranging from KYC and loan processing to verification and rating models. This integration expands the attack surface, as a breach at a service provider can impact the entire ecosystem of partners and clients. For example, breaches at vendors like Lentra have previously impacted major financial institutions such as HDFC Bank and ICICI, even though the banks' own core networks were not directly breached. This underscores the critical need for financial institutions to meticulously monitor their supply chains for vulnerabilities. The sophistication of cybercriminals has increased dramatically, transforming fraud and hacking from isolated activities into a well-organized ecosystem with various vendors and suppliers专门 dealing in stolen information.

The collective impact of these cyberattacks on prominent companies in a short period is alarming. The repercussions of failing to protect sensitive data in the BFSI sector are severe, encompassing direct financial losses, significant reputational damage, and potential legal liabilities. While experts note that the BFSI sector in India invests heavily in security and generally follows industry-leading best practices, the reality is that these companies must execute every security measure perfectly, whereas an attacker only needs to find a single mistake to exploit. The stakes are exceptionally high in banking and finance due to the large funds involved and the potential for triggering a broader financial crisis if critical systems are compromised. Additionally, the security awareness among a large portion of the digital banking customer base in India remains low, making naive customers such as senior citizens and people from rural areas easy targets for consumer fraud. This combination of factors makes the sector uniquely vulnerable despite its investments in cybersecurity infrastructure.