A misconfigured cloud server has resulted in the leak of hundreds of thousands of confidential bank transfer records in India, exposing account details, transaction amounts, and personal contact information.
Cybersecurity experts from UpGuard found a publicly accessible Amazon cloud storage server in late August, which contained 273,000 PDF files associated with bank transfers for Indian clients.
The compromised documents were completed transaction forms meant for processing through the National Automated Clearing House (NACH), a centralized platform in India that handles large-scale recurring payments like payroll, loan installments, and utility bills.
According to the researchers, the leaked data was associated with at least 38 banks and financial organizations, as reported to TechCrunch.
The reason for the data being left open to the public remains unknown, but such incidents often occur due to configuration mistakes or human oversight.
However, it is still uncertain who was responsible for the exposure, who took steps to secure the data, and who should notify those affected by the breach.
Data is now protected, but accountability is lacking
In a blog post outlining their discovery, UpGuard’s team noted that over half of a 55,000-document sample referenced Aye Finance, an Indian lender that applied for a $171 million IPO last year. The State Bank of India, a government-owned institution, was the next most frequently mentioned in the sample, according to their findings.
Upon identifying the leak, UpGuard contacted Aye Finance via its corporate, customer support, and grievance redressal email addresses. The team also notified the National Payments Corporation of India (NPCI), which oversees NACH.
By the start of September, the researchers observed that the server remained exposed, with thousands of new files being uploaded each day.
UpGuard then reached out to CERT-In, India’s computer emergency response team. Soon after, the server was secured, the researchers informed TechCrunch.
Yet, no organization has stepped forward to accept responsibility for the breach.
When asked for a statement, NPCI spokesperson Ankur Dahiya told TechCrunch that the leaked data did not originate from NPCI’s infrastructure.
“A thorough review and verification have established that no NACH mandate data or records from NPCI’s systems were exposed or compromised,” the spokesperson wrote in an email to TechCrunch.
Sanjay Sharma, co-founder and CEO of Aye Finance, did not reply to TechCrunch’s request for comment. The State Bank of India also did not respond to inquiries.
