Shriram Life Responds to Alleged Server HackDenies Breach; Claims to Have Robust Security Controls
In response to the recent alleged hacking of its servers by an unknown group of attackers, Hyderabad-based Shriram Life Insurance strongly denies any breach of its servers and says it has robust security controls with strict policies in place to prevent breaches. (See: Shriram Life Insurance Servers Hacked? )
Shriram Life Insurance Company Limited, an arm of the Rs 90,000 cr. the Shriram Group, was reported to have allegedly suffered a data breach involving 50 GB of critical data, including customer credentials on June 29. This data is currently being dumped in the dark web by anonymous attackers, who say they intend to sell the data on the web for 50 bitcoins.
In response to the alleged breach incident, N. S. Nanda Kishore, Group CTO of Shriram Value Services, the IT arm of Shriram Group, strongly denies any breach.
"We are surprised to see the report on Shriram Life Insurance Company's servers being hacked and data extracted by a group of hackers, as we at Shriram Life are committed to protecting and safeguarding the valuable data of our customers," says Nanda Kishore.
"We have invested in the world's leading security technologies and have strict end user policies to prevent breaches," he adds.
"While we have not noticed any breaches in our data center as claimed by the report, our security experts are ensuring we have the best protection in place," Kishore says.
However, information about the alleged breach was provided by an independent anonymous source who said attackers have hacked into all servers of the organization, and the entire data - including customer data - has been extracted, amounting to over 50 GB.
The source said that the attackers would have seized control of the computers and accessed the intranet system by compromising IT administrators' computers using an infected application, and threaten that the data sourced will be sold for 50 bitcoins. This information was corroborated by a second independent source.
J. Prasanna, director, AVS Labs Pte Ltd and Cyber Security and Privacy Foundation Pte Ltd., does not rule out the possibility of a hack. In this form of attack, hackers would have spotted an application vulnerability and infiltrated all the servers, and would have only shared sample data to divert the organization's attention to patch just the infected server - leaving other servers potentially exposed.
Another independent source, C.N. Shashidhar, founder and CEO of SecuriT Consultancy Services LLP, confirmed that this form of hacking incident seems authentic, as the company's web server had been infected with malware.
Nanda Kishore responds saying that the data found as data dump would have been that available in the public domain.
'We Work with the Best'
Shriram Value Services team claims that IT security is never treated as being secondary as they understand data sensitivity.
V. Sendil Kumar, VP-IT, Shriram Value Services says, "Even though we agree that no company is 100 percent secured, we do monitor our IT security on a regular basis and have a dedicated SOC team for IT security management."
"With regard to this particular hack issue, we understand that it is hosted in a third party location and has a few non critical data, customer grievance content etc.," says Sendil Kumar.
According to him, the company's data center is ISO 27001:2013 certified. The gateway is secured with higher end firewalls and switches, he says.
"We work with the best security consultants for vulnerability assessment and penetration testing as part of our network security assessment program at periodic intervals," he says.