Cybersecurity firm UpGuard discovered a publicly accessible Amazon cloud server in India that was leaking highly sensitive financial data. The server, which contained 273,000 PDF files, exposed documents detailing bank transfers of numerous Indian customers. The exposed data included transaction figures, account numbers, and personal contact details, posing a significant risk to the individuals involved.
The files were linked to the National Automated Clearing House (NACH), a centralized system that Indian banks use for high-volume transactions like salaries and loan repayments. This data breach involved at least 38 different banks and financial institutions, highlighting the widespread nature of the security lapse. While the exact reason for the exposure is unclear, these types of data spills often occur due to misconfigurations and human error, making them a common security threat.
Upon discovering the breach, UpGuard’s researchers attempted to notify the relevant parties. Their findings revealed that more than half of the exposed documents mentioned Aye Finance, an Indian lender. The State Bank of India was the next most frequent institution to appear in the documents. UpGuard initially alerted Aye Finance and the National Payments Corporation of India (NPCI), the government body that manages NACH.
Despite these warnings, the data remained exposed for several weeks, with thousands of new files being added daily. This prompted UpGuard to escalate the issue by notifying India’s computer emergency response team, CERT-In. Shortly after CERT-In’s involvement, the server was secured. However, a blame game ensued, with no party accepting responsibility for the breach.
When asked for comment, an NPCI spokesperson stated that the exposed data did not originate from its systems. Similarly, Aye Finance and the State Bank of India did not respond to requests for comment. The lack of accountability leaves those whose personal data was exposed in a precarious position, with no clear indication of who will take responsibility for the security lapse or the next steps to protect their information.
Reference:
