Cybersecurity Leak: Thousands of Bank Transactions in India Unprotected

A significant security breach in an unsecured cloud server has led to the exposure of hundreds of thousands of sensitive bank transaction documents in India. Researchers from the cybersecurity firm UpGuard discovered in late summer that a publicly accessible storage server hosted on Amazon contained 273,000 PDF documents with information on bank transfers of Indian customers. These documents included completed transaction forms intended for the National Automated Clearing House (NACH). The NACH is a central system used by banks in India to facilitate large volumes of recurring transactions, such as salaries, loan repayments, and utilities. According to the researchers, the exposed data pertained to at least 38 different banks and financial institutions. The reason for the unprotected access to this data remains unclear, as security breaches of this kind often result from misconfigurations and human error. It also remains unresolved who is responsible for the breach, who fixed it, and who should inform the affected individuals. The researchers from UpGuard reported in a blog post that in a sample of 55,000 documents, more than half mentioned the name of the Indian lender Aye Finance, which had registered for an initial public offering worth $171 million last year. The state-owned State Bank of India followed in the frequency of mentions in the documents. After the discovery, the researchers informed Aye Finance as well as the National Payments Corporation of India (NPCI), which oversees the NACH system. However, in early September, the data was still openly accessible, and more documents were being uploaded to the insecure server daily. UpGuard eventually contacted the Indian Computer Emergency Response Team, CERT-In, and shortly thereafter the data leak was closed. Yet the mystery surrounding responsibility persists. According to a spokesperson for the NPCI, Ankur Dahiya, the exposed data did not originate from the NPCI systems. Neither Sanjay Sharma, co-founder and CEO of Aye Finance, nor the State Bank of India responded to requests for comment.