What Happened
Fintech data security India stepped into the spotlight on May 29, 2026, when PB Fintech — the insurtech powerhouse behind PolicyBazaar and PaisaBazaar — made headlines for an entirely different reason: cofounders Yashish Dahiya and Alok Bansal together offloaded approximately 38 lakh shares via multiple block deals, with the combined transaction value touching ₹665 crore. Originally reported by Inc42, the story is financial news on the surface. But as someone who spent years building enterprise architecture for Fortune 500 companies before founding Bachao.AI, I see something underneath the headline that every Indian SMB owner should pay attention to.
PolicyBazaar and PaisaBazaar together serve over 7 crore registered users across India. They hold KYC documents, health histories, income records, loan application data, and insurance policy details for millions of Indians — including thousands of small and medium businesses that use these platforms to manage employee group health insurance, business credit lines, and term cover. That is an enormous blast radius: a term we used in enterprise security to describe how far the damage travels if a single system is compromised.
The share sale itself is not a security event — PB Fintech has not reported any breach. But the scale it represents is exactly what should prompt every Indian SMB to ask a harder question: How much of my business and employee data lives inside third-party fintech platforms — and what happens to my obligations if that platform is ever attacked?
Why This Matters for Indian Businesses and Fintech Data Security
The PB Fintech transaction spotlights a sector that now holds some of the most sensitive data in India. If you are an SMB owner using PolicyBazaar for employee group health insurance, or PaisaBazaar to manage business credit, your employees' Aadhaar numbers, PAN cards, and health records sit in a third-party database you do not control. Your financial statements and credit data live there too.
Under the Digital Personal Data Protection (DPDP) Act, 2023, this creates a shared liability structure that most SMB owners are not aware of. If a data fiduciary — the company collecting and processing data on your behalf — suffers a breach, the obligations around notification, remediation, and compliance can extend to your business, particularly if you directed the data collection (for example, by enrolling your employees on a group insurance portal). CERT-In's 6-hour breach notification mandate means you may have less than a workday to assess your own exposure and file a report. That is not a comfortable timeline if you are discovering the breach from a news article.
The RBI Cyber Security Framework also governs entities like PB Fintech — but SMB owners should not mistake their vendor's regulatory compliance for their own protection. You remain responsible for the data you share, the permissions you grant, and the API integrations you enable.
Technical Breakdown: How Fintech Platforms Are Compromised
Fintech platforms like PB Fintech operate complex multi-tier architectures — mobile apps, broker portals, partner APIs, payment gateways, and cloud databases — each one a potential entry point. Understanding the attack chain is the first step toward protecting yourself.
graph TD
A[Phishing: Broker Employee] -->|Credential theft| B[Partner Portal Access]
B -->|Privilege escalation| C[Internal Admin Dashboard]
C -->|API abuse| D[Customer Data Store]
D -->|Bulk export| E[Dark Web Sale]
E -->|Targeted fraud| F[SMB Customer Victimised]
B -->|Lateral movement| G[Payment Gateway]
G -->|Transaction fraud| H[Financial Loss]Here is how a typical fintech attack chain unfolds in practice:
- Initial Compromise — Attackers target broker-facing or partner-facing portals, not the main consumer app. These subsystems often have weaker authentication than the primary product because they are built faster and audited less frequently.
- Credential Stuffing — Using dumps from previous breaches, attackers attempt bulk logins. Fintech APIs that do not enforce multi-factor authentication (MFA) on partner accounts are particularly vulnerable.
- API Enumeration and Abuse — Once inside, attackers enumerate REST or GraphQL endpoints to pull customer records in bulk. APIs without proper rate-limiting or field-level access controls can be drained of millions of records in hours.
- Data Exfiltration — PAN, Aadhaar, income details, and health records are packaged and listed on dark web marketplaces, often within 24–48 hours of exfiltration.
- Downstream Fraud — Your employees begin receiving targeted vishing calls: "We know your policy number is X and your premium is due — please share your OTP to continue." The attacker knows enough to sound legitimate.
Practical: Audit Your Fintech API Integrations Right Now
If your business connects to any fintech partner via API, run these checks to surface common misconfigurations:
# 1. Test for unauthenticated API endpoints
curl -v https://api.your-fintech-partner.com/v1/policies \
-H "Accept: application/json" \
2>&1 | grep -E "HTTP|401|403|200|authentication"
# 2. Check for verbose error messages that leak DB or stack info
curl -X POST https://api.your-fintech-partner.com/v1/login \
-H "Content-Type: application/json" \
-d '{"username":"test@test.com","password":"' \
2>&1 | grep -iE "error|sql|stack|exception|internal"
# 3. Check for missing rate limiting (send 20 rapid requests)
for i in $(seq 1 20); do
curl -s -o /dev/null -w "%{http_code}\n" \
"https://api.your-fintech-partner.com/v1/user/lookup?pan=ABCDE1234F"
done
# If all 20 return 200, rate limiting is absent — flag this to your vendor immediatelyCatching Sensitive Data Leaking Through Your Own Code
Many SMBs inadvertently log or transmit sensitive fintech data in their own applications. This Python script audits your outbound request logs:
import re
LOG_FILE = "/var/log/app/outbound_requests.log"
FINTECH_DOMAINS = [
"policybazaar", "paisabazaar", "razorpay",
"cashfree", "paytm", "bharatpe", "navi"
]
SENSITIVE_PARAMS = re.compile(
r'(pan|aadhaar|mobile|dob|income|policy)[=_]([^&\s]+)',
re.IGNORECASE
)
with open(LOG_FILE, "r") as f:
for line in f:
for domain in FINTECH_DOMAINS:
if domain in line.lower():
urls = re.findall(r'https?://[^\s]+', line)
for url in urls:
hits = SENSITIVE_PARAMS.findall(url)
if hits:
print(f"[RISK] Sensitive param in URL: {url[:100]}")
else:
print(f"[OK] {url[:80]}")Run this weekly. A single log line with ?pan=ABCDE1234F in a GET URL is a reportable DPDP Act violation.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
| Protection Layer | Specific Action | Difficulty |
|---|---|---|
| Vendor Due Diligence | Request SOC 2 Type II or ISO 27001 certificate from every fintech partner annually | Easy |
| MFA Enforcement | Enable MFA on ALL fintech portals — broker, partner, admin, and developer dashboards | Easy |
| API Key Hygiene | Rotate all fintech API keys quarterly; use scope-limited read-only keys where possible | Medium |
| DPDP Consent Audit | Document employee consent for data shared with third-party insurance or credit platforms | Medium |
| Dark Web Monitoring | Monitor your domain and employee email IDs for credential leaks on dark web | Easy |
| Incident Response Plan | Build a 6-hour CERT-In notification runbook and test it quarterly | Hard |
| Data Minimisation | Share only the minimum required fields with each fintech integration | Medium |
Quick Fix: Secure Your Fintech API Keys
In my years building enterprise systems, I have reviewed hundreds of codebases where API keys were committed directly into version control. It is still the most common — and most avoidable — mistake.
# Step 1: Find hardcoded API keys in your codebase (run from project root)
grep -r --include="*.py" --include="*.js" --include="*.env" \
-E "(api_key|secret_key|access_token)\s*=\s*['\"][A-Za-z0-9]{20,}" \
. 2>/dev/null
# Step 2: Check environment variables currently in memory
env | grep -iE "key|secret|token" | grep -v PATH
# Step 3: Move secrets to AWS Secrets Manager (never store in .env files)
export FINTECH_API_KEY=$(aws secretsmanager get-secret-value \
--secret-id "prod/fintech/api-key" \
--query "SecretString" \
--output text)
# Step 4: Verify no secrets in git history
git log --all --full-history -- '*.env' | head -20
git grep -l 'api_key' $(git rev-list --all) 2>/dev/null | head -10
# Any output from these commands requires immediate secret rotation.env files committed to any repository. Use AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault. A single accidental git push can expose your entire insurance or payment integration to the public internet — and GitHub bots scan for these within seconds of the push.By the Numbers: The Indian Fintech Security Landscape
pie showData
title Fintech Breach Causes in India 2024-25
"Credential stuffing and phishing" : 38
"Unprotected APIs" : 27
"Third-party vendor compromise" : 19
"Insider threats" : 10
"Unpatched vulnerabilities" : 6xychart-beta
title "CERT-In Financial Sector Incidents (India)"
x-axis [2021, 2022, 2023, 2024, 2025]
y-axis "Incidents (hundreds)" 0 --> 50
bar [18, 24, 31, 38, 45]Indian fintech is growing at over 20% annually — and so is the attack surface. CERT-In's 2025 annual report identifies financial services as the single most targeted sector, accounting for nearly 23% of all reported incidents. For SMBs, the risk compounds: you have less visibility into your vendor's security posture, less budget to respond, and proportionally more to lose. Your entire customer and employee database may be exposed through a single compromised fintech integration.
How Bachao.AI Detects This
- API Security Scanner — Automatically tests your fintech integrations for exposed endpoints, missing authentication headers, rate-limit bypasses, and sensitive data leakage in API responses. Surfaces the exact misconfigurations attackers exploit before attackers do.
- Dark Web Monitoring — Continuously scans dark web marketplaces, breach dumps, and Telegram channels for your domain, employee email addresses, and business credentials. If your data surfaces in a third-party breach, you know within hours — not months after the damage is done.
- DPDP Compliance Assessment — Maps your third-party data flows against DPDP Act obligations, identifies consent gaps, flags co-fiduciary relationships, and generates a prioritised remediation roadmap. Specifically covers your obligations when a fintech vendor holds your employee or customer data.
- VAPT Scan — Our free vulnerability assessment covers your web applications, APIs, and cloud infrastructure, surfacing the same API vulnerabilities and misconfigurations attackers pivot through fintech integrations.
- Incident Response (24/7) — If a fintech breach touches your business, our team manages the CERT-In 6-hour notification, customer communication, forensic investigation, and regulatory liaison — so you are not scrambling alone at 2 AM with a six-hour clock running.
Do not wait for your fintech vendor to tell you there is a problem. Run a free VAPT scan today — it takes five minutes, requires no signup, and gives you an immediate read on your API and application security posture before the next incident makes the news.
For more security guides built specifically for Indian SMBs, visit the Bachao.AI blog.
Frequently Asked Questions
Frequently Asked Questions
Is my company's data on PolicyBazaar or PaisaBazaar at risk?
What are my DPDP Act obligations if a fintech vendor I use is breached?
How do I know if my fintech API keys have been compromised?
Does the CERT-In 6-hour breach reporting mandate apply to small businesses?
How can I evaluate whether my fintech vendor has adequate cybersecurity?
What is third-party vendor risk and why should Indian SMBs care?
Originally reported by Inc42. Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.