Unsecured cloud server exposes 273,000 bank transfer records in India

A misconfigured cloud storage server has exposed hundreds of thousands of sensitive bank transfer documents in India, revealing customer account details, transaction information, and personal contact data.

The data spill was uncovered in late August by researchers at cybersecurity company UpGuard, who found an Amazon-hosted storage server left publicly accessible on the internet. The server contained more than 273,000 PDF documents tied to bank transfers processed through the National Automated Clearing House, or NACH, a system widely used by Indian banks for recurring transactions such as salaries, loan repayments, and utility bills.

The exposed records were linked to at least 38 banks and financial institutions, according to UpGuard. The documents included completed transaction forms that customers had submitted for processing, putting both financial and personal data at risk.

It is unclear who was responsible for uploading and maintaining the unsecured server. Security misconfigurations are a frequent cause of data exposures, but questions remain about who allowed the lapse, who ultimately secured the server, and who will notify affected individuals.

In a sample of 55,000 files reviewed by researchers, more than half referenced Aye Finance, a nonbank lender that filed for a $171 million initial public offering last year. State Bank of India, the country’s largest public sector bank, appeared next most frequently in the exposed documents.

After identifying the exposure, UpGuard said it notified Aye Finance, the National Payments Corporation of India (NPCI), which oversees the NACH system, and later India’s Computer Emergency Response Team (CERT-In). Despite repeated alerts, the researchers reported that the server continued to grow by thousands of files daily until early September, when it was finally secured following CERT-In’s involvement.

Responsibility for the breach remains disputed. NPCI spokesperson Ankur Dahiya told TechCrunch that the compromised server was not part of NPCI’s infrastructure. “A detailed verification and review have confirmed that no data related to NACH mandate information/records from NPCI systems have been exposed/compromised,” Dahiya said in an email.