A data spill from an unsecured cloud server has exposed hundreds of thousands of sensitive bank transfer documents in India, revealing account numbers, transaction figures, and individuals’ contact details.
Researchers at cybersecurity firm UpGuard discovered in late August a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers.
The exposed files contained completed transaction forms intended for processing via the National Automated Clearing House, or NACH, a centralized system used by banks in India to facilitate high-volume recurring transactions, such as salaries, loan repayments, and utility payments.
The data was linked to at least 38 different banks and financial institutions, the researchers told TechCrunch.
It’s not clear why the data was left publicly exposed and accessible to the internet, though security lapses of this nature are not uncommon due to misconfigurations and human error.
But it remains unclear who caused the data spill, who secured it, and who is ultimately responsible for alerting those whose personal data was exposed.
Data secured, but nobody accepts blame
In its blog post detailing its findings, the UpGuard researchers said that out of a sample of 55,000 documents, more than half of the files mentioned the name of Indian lender Aye Finance, which had filed for a $171 million IPO last year. The Indian state-owned State Bank of India was the next institution to appear by frequency in the sample documents, according to the researchers.
After discovering the exposed data, UpGuard’s researchers notified Aye Finance through its corporate, customer care, and grievance redressal email addresses. The researchers also alerted the National Payments Corporation of India, or NPCI, the government body responsible for managing NACH.
By early September, the researchers said the data was still exposed and that thousands of files were being added to the exposed server daily.
UpGuard said it then alerted India’s computer emergency response team, CERT-In. Shortly afterward, the exposed data was secured, the researchers told TechCrunch.
But nobody seems to want to take responsibility for the security lapse.
When reached for comment, NPCI spokesperson Ankur Dahiya told TechCrunch that the exposed data did not come from its systems.
“A detailed verification and review have confirmed that no data related to NACH mandate information/records from NPCI systems have been exposed/compromised,” the spokesperson said in an email sent to TechCrunch.
Aye Finance co-founder and CEO, Sanjay Sharma did not respond to a request for comment from TechCrunch. The State Bank of India also did not respond to a request for comment.
