A data spill from an unsecured cloud server has exposed hundreds of thousands of sensitive bank transfer documents in India, revealing account numbers, transaction figures, and individuals’ contact details.
Researchers at cybersecurity firm UpGuard discovered in late August a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers.
The exposed files contained completed transaction forms intended for processing via the National Automated Clearing House, or NACH, a centralized system used by banks in India to facilitate high-volume recurring transactions, such as salaries, loan repayments, and utility payments.
The data was linked to at least 38 different banks and financial institutions, the researchers told TechCrunch.
The spilling data was eventually plugged, but the researchers said they could not identify the source of the leak.
Following the publication of this article, Indian fintech company Nupay reached out to TechCrunch by email to confirm that it “addressed a configuration gap in an Amazon S3 storage bucket” that contained the bank transfer forms.
It’s not clear why the data was left publicly exposed and accessible to the internet, though security lapses of this nature are not uncommon due to human error.
In its blog post detailing its findings, the UpGuard researchers said that out of a sample of 55,000 documents that they looked at, more than half of the files mentioned the name of Indian lender Aye Finance, which had filed for a $171 million IPO last year. The Indian state-owned State Bank of India was the next institution to appear by frequency in the sample documents, according to the researchers.
After discovering the exposed data, UpGuard’s researchers notified Aye Finance through its corporate, customer care, and grievance redressal email addresses. The researchers also alerted the National Payments Corporation of India, or NPCI, the government body responsible for managing NACH.
By early September, the researchers said the data was still exposed and that thousands of files were being added to the exposed server daily.
UpGuard said it then alerted India’s computer emergency response team, CERT-In. The exposed data was secured shortly after, the researchers told TechCrunch.
Despite this, it remained unclear who was responsible for the security lapse. Spokespeople for Aye Finance and NCPI denied that they were the source of the data spill, and a spokesperson for the State Bank of India acknowledged our outreach but did not provide comment.
Following publication, Nupay confirmed that it was the cause of the data spill.
Nupay’s co-founder and chief operating officer, Neeraj Singh, told TechCrunch that a “limited set of test records with basic customer details” was stored in the Amazon S3 bucket and claimed “a majority were dummy or test files.”
The company said its Amazon-hosted logs “confirmed that there has been no unauthorized access, data leakage, misuse, or financial impact.”
UpGuard disputed Nupay’s claims, telling TechCrunch that only a few hundred of the thousands of files its researchers sampled appeared to contain test data or had Nupay’s name on the forms. UpGuard added that it was unclear how Nupay’s cloud logs can allegedly rule out any access to Nupay’s then-public Amazon S3 bucket, given that Nupay has not asked UpGuard for its IP addresses that were used to investigate the data exposure.
UpGuard also noted that details of the Amazon bucket were not limited to its researchers, as the address of the public Amazon S3 bucket had been indexed by Grayhatwarfare, a searchable database that indexes publicly visible cloud storage.
When asked by TechCrunch, Nupay’s Singh did not immediately say how long the Amazon S3 bucket was publicly accessible to the web.
First published on September 25 and updated with new information from Nupay.
