India's ICICI Bank allegedly leaked 3.6m data records via misconfigured server

ICICI Bank, one of India’s leading financial organisations, reportedly suffered a significant data breach that allegedly compromised the sensitive personal information of its customers.

With almost 29 years in the financial sector, ICICI Bank has more than 5,000 branches in India and has a presence in at least 17 countries. In 2022, ICICI Bank was named a “critical information infrastructure” by the Indian Government, which means any security incident the bank sufferers could have an impact on national security.

The security incident was first reported by cyber security researchers at Cybernews who, on February 1, discovered a misconfigured and publicly-accessible Digital Ocean bucket that contained more than 3.6 million files belonging to ICICI Bank.

The cloud storage bucket contained bank account details, credit card numbers, full names, dates of birth, home addresses, phone numbers, emails, passports details, IDs, PAN Card details (Indian taxpayer identification numbers), bank statements, and updated know-your-customer (KYC) details. The cloud storage also contained CVs of the bank’s current employees and job candidates.

Cybernews reached out to the bank and Indian Computer Emergency Response Team (CERT-IN) and notified them about the security incident. On March 30, the misconfigured Digital Ocean bucket belonging to ICICI Bank was fixed and access was restricted.

In response to Cybernews’ request for an official statement, ICICI Bank said, “Thanks for your email. With regards to it, we do not know which incident you are referring to” and referred them to the Corporate Communications Team.

Cybernews, however, did not receive any reply from the bank’s Corporate Communications Team as emails sent to their email account bounced. The authenticity of these claims is yet to be verified as ICICI Bank hasn’t commented on the reported security incident.