Indian Bank Data Breach Exposes Thousands of Transfer Records

A significant data breach originating from an unsecured cloud server has compromised hundreds of thousands of sensitive bank transfer documents in India. This incident exposed critical financial information, including account numbers, transaction details, and personal contact information belonging to numerous customers. Cybersecurity specialists at UpGuard identified the vulnerability in late August, finding a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents related to customer bank transfers.

These files were completed transaction forms meant for processing through the National Automated Clearing House (NACH), a centralized system Indian banks use to manage high-volume recurring payments like salaries, loan installments, and utility bills. The data was connected to transactions involving at least 38 different banks and financial institutions. The exposed information was eventually secured, but the initial source of the leak remained a mystery for some time.

Following the initial reports, the Indian fintech firm Nupay came forward to acknowledge its role in the incident. The company confirmed it had “addressed a configuration gap in an Amazon S3 storage bucket” that housed the bank transfer forms. Such security lapses, often resulting from human error, are unfortunately common.

In their detailed analysis, UpGuard researchers examined a sample of 55,000 documents. They found that more than half of the files referenced the lender Aye Finance, which had filed for a substantial IPO the previous year. The State Bank of India was the next most frequently appearing institution in the sample. After discovering the exposed data, UpGuard notified Aye Finance through multiple channels and also alerted the National Payments Corporation of India (NPCI), the governing body for NACH.

By early September, the data was still publicly available, with thousands of new files being added to the server daily. UpGuard then escalated the issue by informing India’s computer emergency response team, CERT-In. The data was secured shortly after this notification. Despite these actions, pinpointing responsibility proved difficult initially, with Aye Finance and NPCI denying they were the source. The State Bank of India acknowledged inquiries but did not comment.

Nupay’s co-founder and COO, Neeraj Singh, later stated that the bucket contained a “limited set of test records with basic customer details” and claimed that a majority were dummy or test files. The company asserted that its internal logs showed no evidence of unauthorized access, data leakage, or financial impact.

UpGuard challenged these assertions, telling reporters that only a few hundred of the thousands of files they sampled appeared to be test data or bore Nupay’s name. The cybersecurity firm also expressed skepticism about how Nupay could definitively rule out unauthorized access without requesting the IP addresses UpGuard used during its investigation. Furthermore, UpGuard highlighted that the public Amazon S3 bucket’s address had been indexed by Grayhatwarfare, a searchable database for publicly visible cloud storage, meaning its exposure was not a secret limited to their researchers. When questioned, Nupay did not immediately disclose how long the bucket had been accessible on the web.

(Source: TechCrunch)