A misconfigured cloud server has resulted in the exposure of hundreds of thousands of confidential bank transfer records in India, disclosing account details, transaction amounts, and personal contact information.
Cybersecurity experts from UpGuard identified a publicly accessible Amazon cloud storage server in late August, which contained 273,000 PDF files related to bank transfers for Indian clients.
These documents included completed transaction forms meant for processing through the National Automated Clearing House (NACH), a centralized platform used by Indian banks for handling large-scale recurring payments such as payroll, loan installments, and utility bills.
According to the researchers, the leaked data was associated with at least 38 banks and financial organizations, as reported to TechCrunch.
Although the data leak was eventually secured, the researchers stated they were unable to determine the exact origin of the breach.
After this story was published, Indian fintech firm Nupay contacted TechCrunch via email to state that it had “resolved a configuration issue in an Amazon S3 storage bucket” that held the bank transfer documents.
The reason for the data being left open to the public remains uncertain, though such security oversights are often attributed to human mistakes.
Data secured, Nupay cites ‘configuration issue’
In a blog post outlining their investigation, UpGuard’s team noted that, of a sample of 55,000 files they reviewed, over half referenced Indian lender Aye Finance, which had applied for a $171 million IPO the previous year. The State Bank of India, a government-owned institution, was the next most frequently mentioned in the sample, according to the researchers.
Upon finding the exposed information, UpGuard notified Aye Finance through its official, customer service, and grievance email contacts. The team also informed the National Payments Corporation of India (NPCI), the government agency overseeing NACH.
By early September, researchers reported that the data remained unprotected, with thousands of new files being uploaded to the exposed server each day.
UpGuard then alerted CERT-In, India’s Computer Emergency Response Team. The data was secured soon after, according to what the researchers told TechCrunch.
Nevertheless, the party responsible for the security failure was still not identified. Representatives for Aye Finance and NCPI denied involvement in the breach, while a spokesperson for the State Bank of India acknowledged the inquiry but did not comment further.
After the article was released, Nupay admitted responsibility for the data exposure.
Neeraj Singh, Nupay’s co-founder and chief operating officer, informed TechCrunch that only “a limited set of test records with basic customer details” were stored in the Amazon S3 bucket, and asserted that “most were dummy or test files.”
The company stated that its Amazon-hosted logs “verified that there was no unauthorized access, no data leak, no misuse, and no financial consequences.”
UpGuard challenged Nupay’s statements, telling TechCrunch that only a few hundred of the thousands of files they examined appeared to be test data or included Nupay’s name. UpGuard also questioned how Nupay’s cloud logs could conclusively rule out access to the previously public Amazon S3 bucket, especially since Nupay had not requested UpGuard’s IP addresses used during their investigation.
UpGuard further pointed out that the Amazon bucket’s details were not exclusive to their team, as the public S3 bucket address had been indexed by Grayhatwarfare, a searchable database for publicly accessible cloud storage.
When TechCrunch asked, Singh from Nupay did not immediately clarify how long the Amazon S3 bucket was left open to the internet.
Originally published on September 25 and updated with additional information from Nupay.
