Thousands of Indian bank transfer records found online

A significant data breach involving an unsecured cloud server has come to light, revealing sensitive banking information for hundreds of thousands of individuals in India. Cybersecurity experts from UpGuard uncovered a publicly accessible Amazon-hosted storage server late in August, which contained an astonishing 273,000 PDF documents related to customer bank transfers. The leaked files included details such as account numbers, transaction amounts, and personal contact information, all pertaining to transactions processed via the National Automated Clearing House (NACH). This centralized system is essential for managing high-volume recurring payments in India, including salaries, loan repayments, and utility bills. The breach spans at least 38 different banks and financial institutions, as reported by the researchers to TechCrunch. The reasons behind this data exposure remain unclear, although such security mishaps often arise from misconfigurations or human error. The responsibility for the leak and subsequent security measures taken is still under question. In their findings, UpGuard noted that a sample of 55,000 documents revealed a notable frequency of references to Aye Finance, an Indian lender that had previously filed for an IPO worth $171 million. The State Bank of India also appeared frequently in the sample. Following the discovery of the exposed data, UpGuard promptly informed Aye Finance through multiple communication channels, including corporate and customer care emails. They also reached out to the National Payments Corporation of India (NPCI), the government authority overseeing NACH. However, by early September, researchers observed that thousands of files continued to be added to the exposed server daily, prompting them to alert India's computer emergency response team, CERT-In. The exposed data was eventually secured, but the accountability for the incident remains a point of contention. NPCI spokesperson Ankur Dahiya clarified that the compromised data did not originate from their systems, stating that thorough verification confirmed no exposure of NACH-related information. Meanwhile, efforts to obtain comments from Aye Finance's co-founder and CEO, Sanjay Sharma, and the State Bank of India have gone unanswered.