HDFC Life Insurance reported a data breach on Monday, joining a string of Indian insurers facing similar cybersecurity threats. The company revealed the breach in a regulatory filing, stating it was investigating the issue with information security experts to protect customer interests.
“We have received communication from an unknown source, who has shared certain data fields of our customers with us, with mala fide intent,” the insurer said.
How is HDFC Life addressing the breach?
HDFC Life said that it has launched an “information security assessment and data log analysis” to trace the root cause. “We will take utmost care to handle concerns of our customers and take actions to safeguard their interest,” it said.
The insurer also assured customers that their interests remain its top priority. “We are committed to taking all necessary measures to ensure that such incidents do not recur,” the company stated.
Also Read
Recent breaches in the sector
On September 20, personal data of thousands of Star Health Insurance customers, including sensitive details about their medical conditions, was leaked online. The leak was linked to a hacker known as xenZen, who allegedly acquired the information and made explosive claims about its sale.
The hacker claimed that the Chief Information Security Officer (CISO) of Star Health Insurance sold the data for $28,000 initially but later demanded $150,000. According to xenZen, the CISO justified the increased demand by stating that the proceeds had to be shared with senior management. When the deal fell through, the hacker reportedly released all the data online.
However, the insurer absolved its security chief in data leak incident.
Allied Insurance also admitted to a data breach and confirmed it had notified stock exchanges, the government, and the Irdai in line with its standard operating procedures. Meanwhile, Tata AIG General Insurance also reportedly faced similar cybersecurity issues, according to media reports.
Following these incidents, Insurance Regulatory and Development Authority of India (Irdai) on October 18 directed insurers to conduct IT system audits.
“We are closely monitoring the situation to ensure that insurers take immediate action,” the regulator said without naming specific companies. It added that companies must “act swiftly to secure systems and minimise the risks to policyholders.”
In a statement, Irdai said, “We take data breaches very seriously and will ensure that the policyholders' interests are fully protected."
Experts weigh in on risks
Saurabh Gupta, founder and CEO of VeriSmart AI, described the threats posed by breaches. “Hackers use social engineering, malware, and phishing to access personal data. Once obtained, this information can be misused for identity theft and financial fraud,” he said.
Gupta also pointed out that stolen data could lead to severe consequences beyond financial loss. “The impact of data theft can range from embarrassment to life-threatening situations, depending on the information compromised,” he explained.
“Data breaches can lead to regulatory penalties, legal liabilities, and reputational damage. Companies often find recovery a slow and costly process,” said Gangesh Varma, Principal Associate at Saraf and Partners cautioned.
Protecting individuals and businesses
To mitigate risks, Gupta advised individuals to act swiftly. “Change passwords immediately, enable two-factor authentication, and stay vigilant for any suspicious online activity,” he recommended.
For companies, Gupta urged proactive measures. “An incident response plan is a must. Reporting breaches to authorities and affected individuals is not just ethical but a legal requirement,” he said.
Varma added, “The forthcoming Digital Personal Data Protection Act will introduce stricter penalties for businesses failing to protect customer data. Companies must prioritise compliance to avoid such risks.”
“Our online lives are deeply intertwined with our physical lives. Cybersecurity is no longer optional—it’s essential,” he said.