iRead, iLearn, iWrite. Hence, iBlog.

For Indian Military, Nuclear & Space matters, visit:

Monday, March 07, 2022

Beware, Kotak Mahindra Bank Leaks Customer Data

Kotak Mahindra Bank - Data Leak - 01

Last month, my attention drew to an Account Statement emailed from the Kotak Mahindra Bank. Was taken aback, since I held no account with them.

Reviewing the Inbox, I realised that they had been emailing me for long. One of the emails contained the Customer Relation Number [CRN], that is supposed to be unique & confidential to each of their customers. It is also the password to the protect PDF file containing the Account Statement. Once opened, I was able to view all their financial details, including their home address. None of the two individuals, I knew.

Kotak Mahindra Bank - Data Leak - 02

Immediately, I visited the nearest physical Branch & notified them of this data leak. More importantly, I insisted that my e-mail ID be disassociated with those accounts. They called up the customer & asked that they update their listed e-mail ID. Despite this, I continued receiving all sorts of unsolicited e-mails from the Kotak Mahindra Bank. A revisit to the Branch to seek redressal kept getting postponed.

Kotak Mahindra Bank - Incorrect ATM Pin - 01

What renewed the urgency to disassociate myself from that Account was the fact that someone was trying to withdraw money from the ATM, without knowing the correct PIN. The transaction got declined, & a message conveying the same reached my Inbox. Realising the potential for crime associated with that account, I tweeted, tagging relevant individuals in it.

Parallelly, I tried calling attempting to reach out to a Human in their Call Center - the Nos.: 18602662666 & 1800209000. The 3 fruitless calls I made to those numbers cost me the entire morning, the hours of which I shall never get back in my life, ever. One would be blessed with the vision of divinity faster than getting through to a call centre human.

Leaky - 01

Concurrently, I e-mailed them, so that, in the event of any fraudulent activity in that account, I would have documented evidence of my non-association. The human in the call centre offered no help with such an e-mail ID. Scraping the Interwebs, listed out the following IDs, associated with the Kotak group. The IDs that did not bounce back - service.securities@kotak.com, clientservicedesk@kotak.com, customerfirst@kotak.com, privileged@kotak.com, itsecurity.bank@kotak.com, custodyproduct@kotak.com & bankalerts@kotak.com.

Kotak Mahindra Bank - Data Leak - 03

Today, I received another e-mail from them. In this they have re-shared the customer's mobile number with me! Even after I informed them of my non-association, they continue to share data with me. Given the amount of user data the Bank has leaked, it is essential to just close the account, & do it yesterday. Using the leaked data, there is a potential for a cyber criminal to take control of the account & utilize it for illegal financial activities.

If the Account statement is anything to go by, closing them would not make any difference to the account holders. There was no financial transactions happening in it.

My take from this, every branch of the Kotak Mahindra Bank had been asked to meet a quota of new accounts created in their Branch - IFSC Code KKBK0000328 refers to a Branch in Shyam Bazar, in Kolkata & IFSC Code KKBK0006575 points to their Raghunathpur Baguihati, Kolkata Branch. Thus, the Manager may have enlisted some tout to meet these targets. This tout used the details of some unsuspecting victim to create these accounts & where details were lacking, used unrelated data. As Kotak 811 Digital Savings Account is a Zero Balance account, the quality of transactions in them matters not. As no verification the Kotak Mahindra Bank did before approving account creation, we are faced with the situation described above.

Kotak Mahindra Bank - Insufficient Fund - Data Leak - 01

In my opinion, the two individuals, in whose name the accounts have been created may not even be in possession of the Bank's Starter Kit or have control of the accounts. Else, why would they try ordering food off Zomato & attempt payment from those accounts, knowing very well it does not hold sufficient [any] money.

It is pertinent that the bank carry out a thorough audit to evaluate the scale of the tout-generated fraudulently created Bank accounts, that are susceptible to be misused as nodes to engage in illegal activities. Till it comes clean on this matter, sharing how it has happened & what remedial measures they have taken to plug the loophole, better to avoid banking with the Kotak Mahindra Bank. Integrity of your financial data held with them is suspect.

Godspeed

Also Read: SBI & Idea Cellular Deducting Money, But Not Recharging Mobile Balance [UPDATED: April 20, 2018]