A significant data breach from an unsecured cloud server has exposed a vast amount of sensitive bank transfer documents in India, unveiling crucial information such as account numbers, transaction figures, and contact details of individuals.
Security researchers at UpGuard, a cybersecurity firm, unearthed a shocking discovery in late August. They stumbled upon a publicly accessible Amazon-hosted storage server containing a staggering 273,000 PDF documents related to bank transfers of Indian customers.
The leaked files consisted of completed transaction forms designed for processing through the National Automated Clearing House (NACH), a centralized system utilized by Indian banks to facilitate high-volume recurring transactions like salaries, loan repayments, and utility payments.
This data breach encompassed information from at least 38 different banks and financial institutions, as reported by the researchers to TechCrunch.
The reason behind the exposure of this sensitive data remains unclear. Such security lapses are often attributed to misconfigurations and human errors.
However, the responsible party for the data spill, its protection, and the notification of affected individuals are still unknown.
Data secured, but nobody accepts blame
Upon analyzing a sample of 55,000 documents, UpGuard researchers found that over half of the files mentioned the name of Indian lender Aye Finance, which had undergone a $171 million IPO the previous year. Following Aye Finance, the State Bank of India, a state-owned institution, emerged as the next most frequently mentioned entity.
After identifying the exposed data, the researchers reached out to Aye Finance through various channels, including corporate, customer care, and grievance redressal email addresses. They also informed the National Payments Corporation of India (NPCI), the organization overseeing NACH.
By early September, the researchers noted that the data remained accessible, with new files being added to the server daily.
Subsequently, UpGuard contacted India’s computer emergency response team, CERT-In. Following this action, the exposed data was finally secured, according to the researchers.
Despite the resolution of the security breach, no entity has taken responsibility for the incident.
When questioned about the breach, NPCI spokesperson Ankur Dahiya denied any involvement from their systems.
“A thorough investigation has confirmed that no data related to NACH mandate information/records from NPCI systems were compromised,” stated the spokesperson in an email to TechCrunch.
Neither Sanjay Sharma, the co-founder and CEO of Aye Finance, nor the State Bank of India provided comments in response to inquiries from TechCrunch.
