Data Breach from an unsecured cloud server reveals thousands of Indian bank transfer records online

In the past, we have seen numerous cases where the bank details or credentials of various users have leaked online due to a server or human error, and one such case has once again happened, risking the bank transfer records of thousands of Indians.

UpGuard, a cybersecurity firm, yesterday disclosed in its blog post that it had discovered a public Amazon S3 storage bucket containing over 273,000 recent documents detailing bank transfers in India. The discovery was made on 26th August.

Each file documented a single transaction, revealing unredacted bank account numbers, transaction amounts, and, in many of the files, relevant individuals’ names, phone numbers, and email addresses. It was revealed that the exposed dataset affected accounts at dozens of Indian banks and financial institutions, as well as thousands of individuals, with thousands of new documents added to the storage repository each day.

The data was linked to at least 38 different banks and financial institutions. The most affected organization, as per the data shared, was Aye Finance, followed by State Bank of India, Muthoot Capital, Bank of Baroda, Punjab National Bank, Unity Small Finance Bank, Union Bank of India, Canara Bank, Indian Bank, and more.

After the discovery of this data spill, UpGuard notified Aye Finance and NCPI, the organization responsible for NACH (National Automated Clearing House). And when the firm noticed that the file contents were growing daily, they escalated to CERT-IN, a government agency responsible for addressing cybersecurity incidents.

On 4th September, it was verified that the exposed bucket had been secured, while on 24th September, NPCI responded that the data leak was not from their systems.

This data is no longer left exposed, but it is still not clear who caused the data spill and then later who secured it.