6 in 10 citizens surveyed report personal data breach by their loan service provider while 4 in 10 point finger towards insurance providers or banks

November 17, 2022, New Delhi: Earlier this year, citizens via LocalCircles had expressed that financial institutions and telecom companies and more so their last mile interface were top offenders in compromising their personal data. With the personal data protection bill being withdrawn earlier this year and a new data protection bill being in the works, citizens have regularly been sharing their data privacy concerns through the year. With the hope that the new data protection will soon be released for public inputs, LocalCircles decided to conduct a detailed study on the financial sector from a data privacy breach standpoint so concerns and experiences of citizens across the country can be quantified and used as an input in the formation of the law. One of the most common complaints received in the financial sector have been about people receiving detailed alternate offers regarding their existing loans, insurance policies and banking. The study received over 41,000 responses from citizens located in over 319 districts of the country. 64% respondents were men while 36% respondents were women. 45% respondents were from tier 1, 33% from tier 2 and 22% respondents were from tier 3, 4 and rural districts.

​59% of those with existing loans have been approached with detailed alternate offers in the last five years

The first question in the survey was about understanding experience of people with their loans and especially alternate offers regarding their loans. It asked respondents, “Have you had any instances in the last 5 years where you received a detailed alternate offer related to your existing loan via email, phone call, sms, whatsapp?” In response, 33% out of 10,980 respondents stated “Yes, happened several times”, 26% stated “Yes, happened once or twice, while 41% were fortunate not to have received any such communication. Loan terms can be anywhere ranging from a couple of months to even 10 years in case of home loans. On an aggregate basis, the survey found that, 59% of those with an existing loan have received detailed alternate offers to switch to another lending institution either via email, phone call, SMS, whatsapp, etc within the last 5 years. This indicates a massive data breach as the sender has access to an individual’s personal loan data which is being used to send unsolicited loan offers.

40% of respondents surveyed say they have been approached with detailed alternate offers for their existing insurance policies

The second question in the survey was about experience of people with their insurance policies and especially if they received alternate offers on their insurance policy. It asked respondents, “Have you had any instances in the last five years where you received a detailed offer related to your existing insurance policy/ policies via email, phone call, sms, whatsapp?” 40% of the 10,665 respondents to the question had been approached. Out of them, 30% shared they had been approached several times, and 10% once or twice. Of the remaining, 55% stated it had “never happened” while 5% were not sure. What this means is that on an aggregate basis 4 in 10 citizens who hold an insurance policy received detailed alternate offers to their policy indicating that some one has access to not just their PAN, aadhaar but also how much insurance they carry, their premium and when does their policy expire. Clearly, this data is being used to send unsolicited insurance policy offers to them.

34% respondents with existing bank account(s) admitted to being approached with alternate offers in the last five years

The third question in the survey was about experience of people with receiving unsolicited offers related to their existing bank account. It asked respondents, “Have you had any instances in the last five years where you received a detailed alternate offer related to your​​ existing bank account(s) via email, phone call, sms, whatsapp?” 34% of those with existing bank account(s) admitted to being approached. Out of them, 23% had been approached several times and 11% once or twice. Of the total 10,101 responses received to the question, 60% stated they had never been approached with an alternate offer while 6% respondents were non-committal. Once again it indicates that some one has access to people’s banking details and they are being used to solicit them by providing similar or better terms and conditions for opening a similar account at another bank.

The breach of data is not just confined to personal information. Union Minister of State for Finance Bhagwat Karad told Parliament in August this year that data fraud amounting to INR 6,861 crore was reported by private and public sector banks in the first quarter of the current financial year. The Parliament was informed that Indian banks reported 248 data breaches between June 2018 and March 2022 resulting in theft of business and personal information mostly due to card details leakage. Of the 248 data breaches, 41 were reported by public sector banks, 205 by private sector banks and two by foreign banks, the minister said. Karad in his response also stated that the Reserve Bank of India (RBI) has informed the Centre that it has issued guidelines on Cyber Security Framework for Scheduled Commercial Banks (SCBs) to implement cyber security and information technology (IT) controls, among other things, for prevention of data leakage from its systems.

Citizens whose data got compromised by loan agencies, insurance companies and banks believe it was due to their weak data protection governance internally and externally

In the next question in the survey, LocalCircles attempted to understand from citizens about the root cause of their personal data getting compromised by financial institutions. It asked respondents, “According to your understanding/ experience, what are some of the ways through which your personal information may have been compromised by different entities – loan agencies, insurance companies, banks, etc.?” In response, 53% stated “service providers of these entities sell and/or share personal data”. The next largest segment of respondents felt “entities themselves sell/ or share personal data – this group constituted 43% of respondents. Employees of these companies are believed to be the source of leak by 38% respondents, while 33% feel that as “these entities share data with government agencies, employees of those offices sell and/ or share personal data”. There are also 33% who feel “systems of these entities are not secure and thus subject to cyber thefts” while 5% believe data breach can happen through other means, and 8% of respondents are not sure why personal data breach happens. Many among the 10,173 respondents to this question selected more than one option about reasons for personal data breach, thus the total does not equate to 100%.

Protecting customer or consumer data has never been part of the process design at most financial institutions like loan agencies, insurance providers and banks in India, but an afterthought. As and when vulnerabilities are found, the citizen centric financial institutions have plugged the gap while many of them have just addressed the issue at hand without making long term process and system changes. The last mile of these institutions is the most vulnerable either because they employ an external organization i.e. contract workers or these organisations haven’t been briefed about the rules and regulations related to data protection. Even the front-line staff of most of these financial institutions works with customers using their personal phone and whatsapp and when any such individual leaves the organization the personal financial data of the customers goes with them leaving them highly vulnerable to theft and fraud. Most commonly, the same individual joins another competing financial institution and the same customer gets an unsolicited request to avail of a similar financial service by that company. The lack of a data protection law has led to most financial institutions not designing their processes to protect private information of customers.

In summary, the survey finds that personal data breach is increasingly common in the financial services sector. With 59% citizens claiming that their data has been compromised by loan agencies, 40% alleging that it has been the insurance provider and 34% believing that it is the banks that misused their data, it is clear that people believe financial institutions are failing in their responsibility to protect their personal data. When asked about how such data is getting compromised, majority felt it was the weak internal and external governance at the financial institutions that was leading to it. Also, highest number of people, 53% felt that it was the service providers of these institutions that compromise personal data while 38% felt employees were involved as well. A sizable 43% also felt that the institutions themselves were compromising their information or selling it, a big enforcement or communication gap that the financial institutions must plug. All in all, the survey points to a clear need for a strong data protection law with clear disincentives for non-compliance, implemented effectively by financial institutions at every level. As the Government of India looks to release its draft data protection bill for public feedback and parliamentary debate, they must address all the above issues raised by the citizens to safeguard personal financial data of all citizens.