Top 5 Data Breaches in India And What Every BFSI Leader Should Learn From Them

Table Of Contents

The average cost of a data breach in India reached an all-time high of INR 220 million in 2025 (13% higher than last year).

For BFSI, data privacy and protection challenges are even more so because banks, NBFCs, insurers, fintechs, and securities firms hold some of the most valuable personal data in the economy. Think Aadhaar numbers, PAN information, bank account details and transaction histories. 

These challenges will keep climbing as we move into an era of "data-in-use" vulnerabilities. The biggest heists no longer target money, but the millions of customer master data records that comprise digital identities.

For organizations handling Personally Identifiable Information (PII), the following five breaches show why sensitive data protection is now a regulatory and business requirement. They also serve as critical case studies in why traditional perimeter security is no longer sufficient.

The 750 million Records Leak

 January 2024

A dataset containing personal information of approximately 750 million Indian citizens (including names, mobile numbers, addresses, and Aadhaar-linked details) was offered for sale on a dark web forum by a threat actor named "CyberX9." The data was reportedly being sold in bulk, with Aadhaar information included in the exposed records. The origin of the breach was never definitively confirmed, pointing to a fragmented data supply chain where PII passes through multiple third parties, any one of which could be the point of failure. 

The lesson: 

When personal data traverses processors, aggregators, and integration partners in plaintext, every node in that chain is a potential breach point. 

Star Health Insurance 31 Million Records Breach

September 2024

7.24 terabytes containing 31 million personal records including medical details of Star Health Insurance customers were leaked online by a hacker named xenZen. The data breach included names, policy details, health conditions, and financial information. What made this incident distinctive was the alleged insider dimension, reports suggested the data was accessed via an internal channel, not an external attack. The IRDAI slapped a penalty of ₹3.39 crore for the breach.

Data fiduciaries are responsible for maintaining the accuracy of data, keeping data secure, deleting data once its purpose has been met and protect any person personal data in their possession. Thus, "As per the new Digital Personal Data Protection Act, 2023, such a breach can spell a death sentence for the data fiduciary i.e. the Company.”

The lesson

Perimeter security does not protect against access from within. When sensitive data is readable to everyone who touches it operationally, the insider threat is structural, not behavioral.

Angel One’s 7.9 Million Customer Data Breach

April 2023

The personal information of around 7.9 million customers from Mumbai-based stockbroking firm Angel One was leaked, exposing sensitive details such as bank account numbers. The breach affected a regulated financial services entity with established security controls, demonstrating that compliance with regulatory frameworks does not equal zero-exposure architecture. The exfiltrated data included account-level financial information that had direct fraud utility. 

The lesson

Regulatory compliance and architectural data protection are not the same thing. A firm can be audit-ready and still be holding customer PII in a state that makes a breach immediately monetizable.

The NACH Bank Transfer Exposure

September 2025

Cybersecurity researchers at UpGuard discovered a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers, with data linked to at least 38 different banks and financial institutions. The documents contained completed National Automated Clearing House (NACH) transaction forms (salary processing, pension transfers, loan repayments) left exposed on a misconfigured cloud storage instance. More than half of the files in a sample mentioned Aye Finance, with State Bank of India appearing as the next most frequently mentioned institution. 

The lesson

Data at rest is only as safe as the configuration of the environment storing it. Cloud misconfiguration is now among the most common and most avoidable causes of PII exposure in Indian financial services.

Hathway’s 41.5 Million Customers Data Breach

March 2024

Hathway, one of India’s largest Internet Service Providers and cable television operators, experienced a major security breach that compromised the personal information of over 41.5 million customers. The breach resulted from the exploitation of a critical vulnerability in Hathway's content management system, enabling attackers to access and subsequently leak approximately 200GB of highly sensitive user data (including customer names, email addresses, phone numbers, residential addresses, account credentials, and billing details).

The scale illustrates a consistent pattern: when PII is stored in plaintext across operational systems and a single vulnerability is exploited, the entire customer base is exposed simultaneously.

The lesson

The blast radius of a breach is directly proportional to how much plaintext PII exists in a single exploitable environment. Tokenization shrinks that radius to zero since the encrypted stolen data has no street value.

The Pattern Across All Five Data Breaches

In 2025, cyber incidents in India's BFSI sector reached 2.9 million. These incidents have occurred across different technologies, yet they share several common themes:

  • Sensitive customer data existed in multiple locations.
  • Organizations lacked complete visibility into where data resided.
  • Access controls and governance were insufficient.
  • Third-party data processors increased exposure.
  • Privacy risks accumulated silently over time.
More importantly, every breach has one thing in common: the data, once accessed, was immediately useful. Names were readable. PAN numbers were intact. Bank account details were in plaintext. The breach was valuable because the data was exposed. 

Protecting Systems Is Not The Same As Protecting Data

Many organizations have already invested in:

  • Firewalls
  • Endpoint security
  • Identity management
  • Encryption
  • Monitoring tools

Yet customer data leakage and PII breach risk continue to rise. Why? Because traditional perimeter security is no longer sufficient when it comes to protecting data. 

Zero data exposure technologies, like PII Data Vault, make breaches pointless. They tokenize customer data at ingestion and process it in encrypted form. So even in a case of a breach, it yields nothing actionable. The attacker leaves only with tokens, which are worthless.

The Critical Question

The question to ask yourself is not "Could this happen to us?" It is: "How much sensitive customer data is currently exposed inside our organization today?"

What Is Customer PII Exposure Costing You?

Most Indian financial institutions have no quantified view of what their current PII exposure represents.

The PII Exposure Cost Assessment gives you that number. It takes five minutes, scores your organization, and estimates the financial impact of your current exposure footprint against the three pillars of Zero-Data-Exposure value: Compliance, Risk, and Trust.

Calculate Your Cost →