Thousands of Indian bank transfer records found spilling online after security lapse

A significant security breach involving an unsecured cloud server has resulted in the exposure of sensitive banking documents in India. This incident revealed hundreds of thousands of bank transfer records, including account numbers and transaction details, raising serious concerns about data privacy and security. Researchers from the cybersecurity firm UpGuard made this alarming discovery in late August, finding a publicly accessible Amazon-hosted storage server that contained around 273,000 PDF documents related to bank transfers by Indian customers. These files included transaction forms designed for processing through the National Automated Clearing House (NACH), a centralized platform that facilitates high-volume transactions such as salaries, loan repayments, and utility bills. The compromised data was associated with at least 38 banks and financial institutions. Although the breach was eventually contained, the exact source of the leak remains unidentified. In a response to queries, the Indian fintech company NuPay confirmed to TechCrunch that it had resolved a configuration issue with an Amazon S3 storage bucket that held the bank transfer documents. However, it is unclear why such sensitive data was left exposed online, as lapses of this nature often stem from human error. In a blog post detailing their findings, UpGuard researchers noted that among a sample of 55,000 documents examined, more than half were linked to Aye Finance, an Indian lender that had filed for a $171 million IPO the previous year. The State Bank of India also appeared frequently in the examined documents. After uncovering the exposed data, UpGuard promptly notified Aye Finance and the National Payments Corporation of India (NPCI), which oversees the NACH system. Despite these warnings, by early September, the data remained publicly accessible, with thousands of additional files being uploaded daily. UpGuard escalated the issue to India’s Cyber Emergency Response Team (CERT-In), leading to the eventual securing of the exposed data. Even with the data secured, uncertainty lingered over the entity responsible for the breach. Both Aye Finance and NPCI denied being the source, while a spokesperson from the State Bank of India acknowledged being contacted but did not provide further comments. NuPay later confirmed its role in the incident, with co-founder Neeraj Singh stating that the Amazon S3 bucket contained a “limited set of test records with basic customer details,” asserting that most files were either dummy or test records. However, UpGuard challenged NuPay's assertions, highlighting that only a small fraction of the sampled files appeared to contain test data. They also raised questions about how NuPay could determine there was no unauthorized access, given that they had not requested the IP addresses associated with the investigation. Additionally, the public Amazon S3 bucket details were not exclusive to UpGuard's researchers, as they had been indexed by Grayhatwarfare, a database for publicly visible cloud storage. NuPay's Singh did not clarify how long the bucket had been exposed to public access.