Poland’s financial sector has been hit by a major cyberattack that exposed sensitive data belonging to customers of the online loan platform SuperGrosz. The country’s deputy prime minister and minister of digital affairs, Krzysztof Gawkowski, confirmed the breach and called it “very serious.”
According to official statements, the attackers gained access to personal and financial information of SuperGrosz clients and their family members. The stolen data includes names, national identification numbers (PESEL), ID card information, home and email addresses, phone numbers, marital status, employment details, income declarations, and bank account numbers.
The affected company, SuperGrosz, is operated by AIQLABS sp. z o.o., a financial services provider offering short-term and installment loans. Investigations are being led by two key national cybersecurity teams, CSIRT KNF, which oversees financial institutions, and CSIRT NASK, which handles incidents across the broader digital infrastructure. Poland’s Personal Data Protection Office has also been notified.
Gawkowski urged citizens to take immediate protective measures. In a public message posted on X, formerly Twitter, he advised customers to change passwords, enable two-factor authentication, and use the government’s mObywatel mobile app to block their PESEL numbers. Blocking a PESEL number prevents criminals from using stolen data to apply for loans or commit identity fraud.
The minister also warned that cyberattacks are becoming a routine threat to Poland and other European Union members. He said the government is strengthening its response mechanisms but added that individuals must remain alert to phishing attempts, fake loan offers, and identity-theft scams following the breach.
Local media reported that the incident occurred shortly after a distributed denial-of-service attack disrupted Poland’s national payment system, including the mobile payment network BLIK. Authorities said that the system has since stabilised, but confirmed that both incidents are under review for possible links.
SuperGrosz has not disclosed how many people were affected. The company said it is cooperating with investigators to determine how the attackers gained access to its systems and whether any customer funds were compromised. While early evidence suggests the breach focused on personal data rather than financial transactions, Polish regulators have classified the attack as a serious privacy incident.
The exposure of PESEL numbers, combined with full identity and banking details, poses a significant risk of fraud. Criminals can use such information to open fraudulent accounts, apply for credit, or perform social engineering attacks against victims. Authorities have advised customers to monitor their bank statements closely, check for new loan applications, and report any unusual financial activity.
Security specialists say the breach underlines persistent weaknesses in the data protection practices of smaller financial platforms. While large banks often maintain dedicated cybersecurity teams, smaller lenders and fintech firms tend to rely on third-party security tools and limited internal monitoring. Attackers frequently target these weaker links to obtain valuable personal data that can later be used or sold on criminal forums.
Industry observers note that the attack fits into a wider pattern of financially motivated cybercrime targeting Eastern European countries. Over the past year, several Polish institutions, including government agencies and regional banks, have reported an increase in phishing and ransomware attempts. Analysts attribute this trend to organised groups that exploit local fintech platforms for identity theft and credit fraud.
Polish authorities have emphasised that strengthening cybersecurity in the financial sector remains a national priority. They are urging companies to adopt network segmentation, real-time monitoring systems, and more rigorous authentication methods. For individuals, digital literacy and prompt response to possible data misuse are seen as the best forms of defence.
While investigations continue, officials say there is no evidence that the stolen data has yet been sold or published online. However, they caution that this could change in the coming weeks. SuperGrosz customers have been told to assume that their data is compromised until the company provides further updates.
The case highlights how data breaches can erode trust in online financial services. As Poland expands its digital economy, the balance between accessibility and security will remain a pressing challenge for both regulators and service providers.