RBI Officials Visit Fullerton India To Assess Data Breach Incident Impact
Fullerton said that they had alerted all "relevant stakeholders of the possibility of a cyber incident."
Officials from the Reserve Bank of India have visited the main office of Fullerton India Credit Company Ltd. and are assessing the non-bank finance company’s systems and response to the alleged data breach, two people aware of the development told BQ Prime.
In a mailed response to queries from BQ Prime, Fullerton said that they had alerted all "relevant stakeholders of the possibility of a cyber incident."
Media reports show that, as per sample data made available online, Fullerton India has been impacted by a data breach, with the Lockbit 3.0 ransomware group seeking a Rs 24 crore ransom by April 29 to avoid the release of 600 GB of sensitive customer and company data.
As per the first source, the data leak allegedly happened over the course of the last month, and Fullerton informed the RBI within the stipulated reporting time of learning about the breach.
The RBI team will be looking at how Fullerton India’s systems were hacked, how long the leak went undetected, and the response once the leak was noticed. This will be factored into the incident report that the RBI will generate and will go into their assessment on whether it merits any supervisory stricture, the second source said.
Even though the leak may have happened earlier, it was around April 24 that Fullerton India customers were unable to access the online systems, which is in sync with the company saying that it went offline once it became aware of the cyber incident.
Their entire response is reproduced here:
"With reference to the three questions posted by you, we would like to categorically assert that the Company immediately chose to operate offline as soon as it was alerted of the possibility of a cyber incident. In line with standard operating processes, Fullerton India informed all relevant stakeholders of the possibility of a cyber incident, even as it worked with its in-house teams and global experts to both confirm the incident and evaluate the threat assessment, if any.
Basis technical feedback from the most credible cybersecurity firms, Fullerton India has commenced resumption of services for its customers and is working with top, global experts to significantly enhance its security environment for future expansion.
The company remains committed to serve customers in Retail, Micro-Small and Medium Enterprises and Affordable Housing and will continue to expand its footprint in semi-urban and rural geographies.
We hope this gives you a full perspective of the said incident."
Fullerton India is part of the Sumitomo Mitsui Financial Group, which holds 74.9% of the company, with Fullerton Financial Holdings owning the remaining 25.1%.
The non-bank lender is active in providing working capital loans for small and medium-sized enterprises, along with loans for commercial vehicles, two-wheelers, home improvement loans, loans against property, personal loans, and some rural lending products.