Unsecured Cloud Server Exposes Sensitive Bank Data of 273,000 Indians, Raising Questions About Responsibility and Security Measures
A significant data leak originating from an unsecured cloud server has exposed over a quarter of a million sensitive bank transfer documents in India, potentially compromising account numbers, transaction values, and individual contact details.
Upon investigating a publicly accessible Amazon-hosted storage server in late August, cybersecurity firm UpGuard discovered 273,000 PDF documents related to Indian customers’ bank transfers. These files contained completed forms intended for processing via the National Automated Clearing House (NACH), a centralized system used by numerous banks in India for high-volume recurring transactions such as salaries, loan repayments, and utility payments.
At least 38 distinct financial institutions were linked to this exposed data, according to UpGuard’s researchers. The details of who caused the leak, secured it, or alerted those affected by the breach remain unclear.
Among the sampled documents (approximately 55,000), a significant proportion referenced Indian lender Aye Finance, which sought a $171 million Initial Public Offering (IPO) last year. The State Bank of India followed closely in frequency within the sample documents, according to UpGuard’s findings.
Upon discovering the exposed data, UpGuard notified Aye Finance via corporate, customer care, and grievance redressal email addresses. Additionally, they alerted the National Payments Corporation of India (NPCI), the government body overseeing NACH.
Despite early September efforts to secure the data, it remained exposed, with thousands of new files added daily. UpGuard then contacted India’s computer emergency response team, CERT-In. Shortly after this notification, the exposed data was secured. However, responsibility for the security lapse remains undetermined.
When reached for comment, NPCI spokesperson Ankur Dahiya stated that no data related to NACH mandate information/records from their systems had been compromised. Aye Finance’s co-founder and CEO, Sanjay Sharma, did not respond to a request for comment, nor did the State Bank of India.
