Hackers Claim Breaches of Bancolombia and Banco de Bogotá, Leak Customer Data Samples

What happened

Threat actors claim they breached Grupo Bancolombia and Banco de Bogotá and posted customer data samples on an underground forum. The posts appeared on April 8, 2026 and included files the attackers said were taken from the two Colombian financial institutions. In the Grupo Bancolombia case, the shared material included screenshots that appear to show an internal content management system tied to digital services, along with PDF files containing small datasets of customer and advisor records. Those records included full names, location data, insurance plan details, and login or logout timestamps. In the Banco de Bogotá claim, the sample files contained about 30 records with full names, phone numbers, and physical addresses. The full extent of the alleged breaches has not been verified, and no public confirmation from either bank was included in the report. 

Who is affected

The potential exposure affects customers of Grupo Bancolombia and Banco de Bogotá whose information may be included in the claimed leaked datasets. The sample tied to Grupo Bancolombia appears to contain limited customer and advisor records, while the Banco de Bogotá sample includes more direct contact details such as phone numbers and physical addresses. 

Why CISOs should care

This matters because even limited leaked samples can create meaningful risk when attackers combine them with other stolen data. Names, addresses, phone numbers, insurance information, and login activity can support more convincing phishing, impersonation, and social engineering campaigns, especially in the financial sector. It also shows how unverified breach claims can still create immediate customer risk if exposed data is specific enough to be weaponized. 

3 practical actions

1. Treat sample leaks as an immediate scoping event: Validate quickly whether leaked screenshots, PDFs, or record samples match internal systems or customer data before broader claims spread further. 
2. Prepare for targeted customer impersonation: Warn customers and frontline teams that attackers may use exposed names, addresses, banking context, or insurance details to make phishing attempts appear legitimate. 
3. Separate verified facts from attacker claims: Keep incident communications tightly focused on what has been confirmed, since the broader breach claims remain unverified at this stage. 

For more news about incidents involving exposure of personal information, click Data Breach to read more.