Brinztech Alert: Alleged Database of Bajaj Finserv (6.3 Million Records) is on Sale

Dark Web News Analysis

A threat actor on a known hacker forum is advertising the alleged sale of a massive database belonging to Bajaj Finserv (bajajfinserv.in), one of India’s largest non-banking financial companies (NBFCs). The dataset reportedly contains 6.3 million client records.

Brinztech Analysis:

• The Listing: The data is described as “strong KYC information” and includes highly sensitive fields: Full Names, Mobile Numbers, Emails, Dates of Birth, Gender, and partially masked National IDs/Aadhaar numbers. The seller claims the data originates directly from www.bajajfinserv.in.
• Context: This alleged breach surfaces amidst a turbulent cybersecurity landscape for Indian finance. It follows a confirmed April 2025 incident where hackers leaked 1.59 million records from Indian insurance providers, including Bajaj Allianz. This new 6.3 million-record claim may be a significant escalation of that previous event or a completely new compromise.
• Data Validity: The specific mention of “partially masked” IDs suggests the data might have been scraped from a customer-facing portal or leaked from a third-party verification vendor where data masking was implemented but insufficient to protect the full identity profile when combined with other PII.

Key Cybersecurity Insights

This alleged data breach presents a critical threat to millions of Indian financial consumers:

• Enabling Identity Verification Bypass: The combination of strong KYC data (DOB, contact info) alongside partially masked government IDs could enable attackers to bypass “forgot password” flows or identity verification checks on other fintech platforms.
• High Utility for Targeted Financial Fraud: With loan and deposit status potentially exposed, attackers can launch highly targeted vishing (voice phishing) attacks. Scammers can pose as Bajaj Finserv agents, referencing real loan details to trick victims into transferring funds or sharing OTPs (“digital arrest” scams).
• Significant Regulatory Repercussions: This breach falls squarely under the purview of India’s newly enforced Digital Personal Data Protection (DPDP) Act, 2023. Bajaj Finserv faces potential penalties of up to ₹250 crore if they fail to prevent or report a breach of this magnitude.
• Reputational Damage: As a trusted brand for loans and insurance, a breach of this scale erodes consumer confidence. The “strong KYC” description implies that the very data collected to secure the customer is now being sold to exploit them.

Mitigation Strategies

In response to this claim, Bajaj Finserv and its customers must take immediate action:

• Immediate Forensic Investigation: Bajaj Finserv must urgently verify the authenticity of the sample data against their live database. Determine if the leak originated from a direct web vulnerability (API scraping) or a third-party KYC vendor.
• Proactive Client Communication: If the data is valid, notify the 6.3 million affected clients immediately. Transparency is critical. Warn them specifically about fake calls regarding loan closures or KYC updates.
• Fortified Authentication: Implement stronger, adaptive Multi-Factor Authentication (MFA) for customer logins. Simple SMS OTPs may be vulnerable if phone numbers are targeted for SIM swapping.
• Regulatory Compliance: Prepare for mandatory breach reporting to the Data Protection Board of India (DPBI) and CERT-In within the required timelines to mitigate legal penalties.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com