A data spill from an unsecured cloud server has exposed hundreds of thousands of sensitive bank transfer documents in India. The documents revealed account numbers, transaction figures, and individuals’ contact details.
Researchers at the cybersecurity firm UpGuard discovered the publicly accessible Amazon-hosted storage server in late August. The server contained 273,000 PDF documents relating to bank transfers of Indian customers. The exposed files were completed transaction forms intended for processing via the National Automated Clearing House, or NACH. This is a centralized system used by banks in India to facilitate high-volume recurring transactions such as salaries, loan repayments, and utility payments. The researchers confirmed the data was linked to at least 38 different banks and financial institutions.
Security lapses of this nature are often caused by misconfigurations and human error, though the exact reason for this exposure remains unclear. It is also unknown who caused the data spill, who secured it, and who is responsible for alerting the affected individuals.
In a sample of 55,000 documents, more than half of the files mentioned the name of Indian lender Aye Finance. The Indian state-owned State Bank of India was the next institution to appear most frequently in the sample.
After discovering the exposed data, UpGuard notified Aye Finance through several email addresses. The researchers also alerted the National Payments Corporation of India, or NPCI, which manages the NACH system. By early September, the data was still exposed and thousands of new files were being added daily. UpGuard then alerted India’s computer emergency response team, CERT-In. Shortly after this alert, the exposed data was secured.
However, no organization has accepted responsibility for the security lapse. An NPCI spokesperson stated that a detailed review confirmed no data from its systems was exposed or compromised. Aye Finance’s CEO did not respond to requests for comment. The State Bank of India also did not respond to a request for comment.