Personal data breach is increasingly common in the financial services sector. With 59% of respondents claiming that their data has been compromised by loan agencies, 40% allege that it has been the insurance provider and 34% believe that it is the banks that misused their data. It is clear that people believe financial institutions are failing in their responsibility to protect their personal data, says LocalCircles.
According to the report, protecting customer or consumer data has never been part of the process design at most financial institutions like loan agencies, insurance providers and banks in India, but an afterthought. "As and when vulnerabilities are found, the citizen-centric financial institutions have plugged the gap while many of them have just addressed the issue at hand without making long-term process and system changes."
"The last mile of these institutions is the most vulnerable either because they employ an external organisation i.e. contract workers or these organisations have not been briefed about the rules and regulations related to data protection," it added.
Breach of data is not just confined to personal information. In August this year, Union minister of state for finance Bhagwat Karad told parliament that data fraud amounting to Rs6,861 crore was reported by private and public sector banks in the first quarter of the current financial year.
Parliament was informed that Indian banks reported 248 data breaches between June 2018 and March 2022, resulting in theft of business and personal information mostly due to card details leakage.
Of the 248 data breaches, 41 were reported by public sector banks, 205 by private sector banks and two by foreign banks, the minister said. Dr Karad also stated that the Reserve Bank of India (RBI) issued guidelines on cyber security framework for scheduled commercial banks (SCBs) to implement cyber security and information technology (IT) controls, among other things, for prevention of data leakage from its systems.
LocalCircles says even the front-line staff of most financial institutions works with customers using their personal phones and WhatsApp. "When any such individual leaves the organisation, the personal financial data of the customers goes with them, leaving them highly vulnerable to theft and fraud. Most commonly, the same individual joins another competing financial institution and the same customer gets an unsolicited request to avail of a similar financial service by that company. The lack of a data protection law has led to most financial institutions not designing their processes to protect customer's private information."
The majority of the survey respondents felt it was the weak internal and external governance at the financial institutions that was leading to it, the survey report says. "Also, the highest number of people, 53% felt that it was the service providers of these institutions that compromised personal data, while 38% felt employees were involved as well. A sizable 43% also felt that the institutions itself were compromising their information or selling it, a big enforcement or communication gap that the financial institutions must plug."
With the hope that the new data protection bill will soon be released for public input, LocalCircles says it decided to conduct a detailed study on the financial sector from a data privacy breach standpoint so that concerns and experiences of citizens across the country can be quantified and used as an input in the formation of the law. The survey received responses from over 41,000 citizens located in over 319 districts of the country.
59% of those with existing loans have been approached with detailed alternate offers in the past five years
The first question in the survey was about understanding the experience of people with their loans and especially alternate offers regarding their loans. It asked respondents, "Have you had any instances in the past five years where you received a detailed alternate offer related to your existing loan via email, phone call, SMS or WhatsApp?"
In response, 33% out of 10,980 respondents stated that it happened several times, 26% stated it happened once or twice, while 41% were fortunate not to have received any such communication. Loan terms can be anywhere ranging from a couple of months to even 10 years in case of home loans.
On an aggregate basis, the survey found that 59% of those with an existing loan have received detailed alternate offers to switch to another lending institution either via email, phone call, SMS, and WhatsApp within the past five years. This indicates a massive data breach as the sender has access to an individual's personal loan data which is being used to send unsolicited loan offers, it added.
40% of respondents surveyed say they have been approached with detailed alternate offers for their existing insurance policies
The second question in the survey was about people's experience with their insurance policies, especially if they received alternate offers on their insurance policies. It asked respondents, "Have you had any instances in the last five years where you received a detailed offer related to your existing insurance policy/ policies via email, phone call, SMS, or WhatsApp?"
About 40% of the 10,665 respondents to the question had been approached. Out of them, 30% shared they had been approached several times, and 10% once or twice. Of the remaining, 55% stated it had never happened, while 5% were not sure.
"What this means is that, on an aggregate basis, four in 10 citizens who hold an insurance policy received detailed alternate offers to their policy indicating that someone has access to not just their PAN, Aadhaar but also how much insurance they carry, their premium and when does their policy expire. Clearly, this data is being used to send unsolicited insurance policy offers to them," LocalCircles says.
34% respondents with existing bank accounts admitted to being approached with alternate offers in the past five years
The third question in the survey was about the experience of people with receiving unsolicited offers related to their existing bank account. It asked respondents, "Have you had any instances in the last five years where you received a detailed alternate offer related to your existing bank account(s) via email, phone call, SMS, or WhatsApp?"
About 34% of those with an existing bank account(s) admitted to being approached. Out of them, 23% had been contacted several times and 11% once or twice. Of the total 10,101 responses received to the question, 60% stated they had never been contacted with an alternate offer, while 6% of respondents were non-committal.
According to LocalCircles, it once again indicates that someone has access to people's banking details and they are being used to solicit them by providing similar or better terms and conditions for opening a similar account at another bank.
Citizens whose data got compromised by loan agencies, insurance companies and banks believe it was due to their weak data protection governance internally and externally.
In the next question in the survey, LocalCircles attempted to understand from citizens about the root cause of their personal data getting compromised by financial institutions. It asked respondents, "According to your understanding/ experience, what are some of the ways through which your personal information may have been compromised by different entities— loan agencies, insurance companies, banks, etc.?"
In response, 53% stated, 'service providers of these entities sell and/or share personal data'. The next largest segment of respondents felt entities themselves sell/ or share personal data—this group constituted 43% of respondents. Employees of these companies are believed to be the source of leak by 38% respondents, while 33% feel that as these entities share data with government agencies, employees of those offices sell and/ or share personal data.
There are also 33% who feel the systems of these entities are not secure and thus subject to cyber thefts while 5% believe data breach can happen through other means, and 8% of respondents are not sure why personal data breach happens.
Many among the 10,173 respondents to this question selected more than one option about reasons for personal data breach, thus the total does not equate to 100%, LocalCircles clarified.
LocalCircles says the survey points to a clear need for a strong data protection law with clear disincentives for non-compliance, implemented effectively by financial institutions at every level. "As the government of India looks to release its draft data protection bill for public feedback and parliamentary debate, they must address all the above issues raised by the citizens to safeguard personal financial data of all citizens," it added.