A hacker has claimed to be selling data related to thousands of current and former employees of the Indian conglomerate Piramal Group, which operates in the pharmaceutical, financial services, and real estate sectors. However, Piramal Group denies that its systems were breached, asserting that the data came from a third party.
Last week, the hacker posted a sample of the allegedly stolen data on a known cybercrime forum. The data sample included full names and email addresses. Such information could be valuable to cybercriminals for launching targeted attacks against employees.
Piramal Group employs over 10,000 people from 21 nationalities across more than 30 countries, according to its website. The Mumbai-headquartered company has a global brand presence in over 100 markets and operates several subsidiaries, including Piramal Enterprises (a non-banking financial company), Piramal Pharma, Piramal Healthcare, and Piramal Realty (a real estate development arm).
A larger sample of the data, containing over 10,000 entries, was obtained from the hacker. Verification of some entries via a job listing portal confirmed that the data included information about current and former employees of Piramal Group.
When contacted, Piramal Group denied any data breach on its systems. The company suggested that the data could have originated from a third party. Mihir Mukherjee, a spokesperson for Piramal, stated, “After conducting a thorough investigation, we can confirm that there has been no data breach incident at Piramal Group. Our IT and cybersecurity teams have rigorously examined our systems, and there is no evidence to support the claim that any information or files of this nature exist on our servers. Additionally, the sample data does not include any Piramal information such as employee email IDs, and it appears to originate from a third-party platform.”
Piramal later identified Mailinator, a platform used for testing email and SMS workflows, as the source of the data. Mailinator did not immediately respond to requests for comment.
When questioned, Piramal’s spokesperson declined to explain how the company determined it had not experienced a data breach, including whether it had the technical capabilities to detect data exfiltration.
Piramal also mentioned that it had received an inquiry about the incident from India’s computer emergency response team, CERT-In. The spokesperson noted, “After a thorough investigation, we confirmed to CERT-In that no such data breach incident has occurred on our systems, and no information is compromised.”
The ongoing investigation aims to clarify the origins of the data and ensure the security of Piramal Group’s systems.