Sensitive Customer Information at Risk: How to Deal with Data Breach in NBFCs?

Introduction

I just had my third coffee and to be honest, this topic needs it. NBFC (Non-Banking Financial Company) data breach has become the worst one of its kind. And I mean worse.

We have seen large institutions — ones that process millions of transactions a day — get compromised. Leaked customer financial data, stolen credentials, exfiltrated entire backups. And yet, we still see weak passwords, unpatched systems, and outdated security policies that should have been bagged and in the trashcan years ago.

Let’s unpack it: what’s going on, why it’s going on, and what absolutely must change.

Major Data Breaches in NBFCs

Would like to be able to say these are rare. But they’re not.

• 2022: A major Indian NBFC had 15 lakh customers’ information leaked. Loan details, know your customer (KYC) documents, transaction histories — everything posted to a Dark Web forum. How? An improperly configured cloud storage service.
• 2023: Yet another NBFC faced a breach due to compromised admin credentials. The attackers made their way into the developmental network, moved laterally, and weeks later, the company found more than 5TB of stolen data circulating.
• 2024 (yes, this year!): Recently, a phishing campaign targeted NBFC workers. One click on a malicious link led to a domain-wide compromise. All because one system didn’t have multi-factor authentication turned on.

It’s frustrating. There are ways to prevent these, but basic cyber hygiene disciplines haven’t been followed.

Causes of Breaches

I have been around since the era of dial-up modems and PSTN muxes — I have seen everything from ancient worms like Slammer to modern-day ransomware-as-a-service (as in, attackers now have subscription models). But some vulnerabilities? Timeless.

1. Weak or Default Credentials: And we are logging in with admin/admin in 2024. Why? Because it’s only testing or we’ll modify later. They never do.
2. Unpatched Systems: Organizations that don’t patch are like honey for attackers. There’s always a zero-day waiting for an unpatched firewall, router, or server. And guess what? Attackers are not waiting — they are scanning now.
3. Poor Access Controls: If one user gets compromised, they have access to critical systems. But NBFCs love to centralize access — which means one breach puts everything at risk.
4. Cloud Misconfigurations: Cloud security? Good—when done right. Over the years, terabytes of data have leaked from misconfigured S3 buckets, open database access, and default API keys.

The kicker: Most of those breaches could have been completely avoided through basic security hygiene.

Quick Take: Non-Banking Financial Companies & Cybersecurity in 2024

• NBFCs are facing explosive data breaches—hijacking your customers’ financial data.
• The usual suspects are credentials, patching, access controls, and cloud misconfigurations.
• It’s no longer optional, it’s essential: Zero Trust.
• Regulatory compliance (RBI, GDPR) is being tightened. Companies need to show their security work.

Data Protection Measures

Over the last few months, I’ve guided three banks with revamping their Zero Trust Architecture. And if NBFCs are serious about security, they should be thinking on similar lines.

1. Implement Zero Trust
   • Segment networks. No more flat networks where a single breach goes up like a brush fire.
   • Limit user access. Provide access only on a need-to-know basis — not just in case.
   • Constantly authenticate. Two-factor authentication (including for internal systems).
2. Get Rid of Weak Passwords (No Ifs, Ands, or Buts)
   • Use password managers. No one should be manually remembering passwords anymore.
   • Enforce non-reusable, complex passwords. Applied on all characters with no exceptions.
   • Deny any password that’s on a leaked list. If it has been used in a past breach, it’s compromised.
3. Secure Endpoint Devices
   • Implement endpoint detection and response (EDR). Threats get shut down fast through real-time monitoring.
   • Full-disk encryption. The data on a stolen laptop should be useless to crooks.
   • Block USB devices. Malware-stuffed USBs were still a thing. Stop allowing them.
4. Lock Down Cloud Security
   • Turn on cloud logging. If you don’t log access you can’t find breaches.
   • Restrict API access. If an API doesn’t need to be public, turn it off.
   • Secure storage permissions. No publicly accessible cloud buckets—secure your access.

Compliance with Regulations

Regulators increasingly are tightening the screws. RBI, SEBI, and even GDPR were crystal clear — protection of customer data is a pre-requisite.

1. RBI Mandates
   • Routine security assessments. Minimum two times in a year penetration testing should be done by every NBFC.
   • Data localization. User data of Indian customers must be retained within India. No easy exfiltration to external storage systems.
   • Legal obligations for incident reporting. When a breach happens, RBI must be informed — at the earliest.
2. GDPR Compliance: This is especially the case if your business has international reach.
   • Clear consent to data collection — no fidgy opt-ins.
   • Right to be forgotten. Users have the right to request complete deletion of data.
   • All personal data should be encrypted. No plaintext storage — ever.

NBFCs that ignore compliance? They won’t merely be facing breaches—they’ll be facing lawsuits.

Final Thoughts

I just returned from DefCon, and am still riding the high from the hardware hacking village. (You leafed that the access card on certain secure financial systems are so easy to clone; it is asking people to copy it.)

The point? Attackers are constantly coming up with new ideas. NBFCs must be proactive rather than reactive when a calamity strikes.

• Physically secure all levels — endpoint, network, cloud.
• Stop assuming anything is safe—go with Zero Trust.
• Patch right away — outdated software means you are a target.
• Don’t just approach compliance with a regulatory mindset, it is also about risk mitigation.

NBFCs cannot afford to get breached. Because when they are? It’s not only customer data that’s at stake—it’s reputational trust. And trust, once lost? Almost impossible to regain.

Cybersecurity is not an add-on. It’s the foundation.