Indian Banking Data Leak Exposes 273,000 Sensitive Records; UpGuard Discovers Unsecured Server Containing Personal Details and Transaction Figures
A significant data leak originating from an unsecured cloud server has exposed approximately 273,000 sensitive bank transfer documents in India, potentially compromising account details, transaction amounts, and personal contact information of numerous individuals.
Cybersecurity experts at a leading firm identified this issue in late August, discovering a publicly accessible Amazon-hosted storage server containing PDF files related to Indian customers’ bank transfers. The exposed data encompassed completed transaction forms intended for processing through the National Automated Clearing House (NACH), a centralized system utilized by banks in India for high-volume recurring transactions such as salaries, loan repayments, and utility payments.
The affected financial institutions include at least 38 different banks and lenders, according to the researchers’ findings shared with multiple news outlets.
The cause of this data breach remains uncertain, though it is often due to misconfigurations or human error. It is still unclear who was responsible for securing the exposed data, or for notifying those whose personal information was compromised.
Researchers from the cybersecurity firm reported that out of a sample of 55,000 documents, over half mentioned Indian lender Aye Finance, which had filed for an Initial Public Offering (IPO) worth $171 million last year. The State Bank of India was the second most frequently named institution in the sample documents, according to their analysis.
Upon discovering the exposed data, the researchers notified Aye Finance via several corporate, customer care, and grievance redressal email addresses, as well as alerting the National Payments Corporation of India (NPCI), the government body responsible for managing NACH.
Despite early September approaches, the researchers found that the data was still publicly accessible, with thousands of new files being added to the exposed server daily. They then contacted India’s computer emergency response team, CERT-In, and shortly after the exposed data was secured.
However, accountability for the security lapse remains unclear. When reached for comment, an NPCI spokesperson stated that no data related to NACH mandate information/records from their systems had been compromised or exposed. Aye Finance’s co-founder and CEO, Sanjay Sharma, did not respond to requests for comment, and the State Bank of India also remained silent on the matter.
