Bank Transfer Records of Indians Leaked After Lapse

More than 100,000 sensitive bank documents were left exposed on the internet after a U.S. banking institution’s cloud service provider misconfigured outgoing server settings. As Markus points out, it’s an example of just how at-risk sensitive financial data can be from a single misconfigured storage bucket spanning multiple institutions and vendors.

Cybersecurity researchers at UpGuard said they had discovered 273,000 PDF files stored on an Amazon-hosted web storage server to which the public could gain access, many of them finished forms used for payments through the National Automated Clearing House or NACH. Those statements usually include bank account numbers, signatures on file and a mark or other notation used to approve recurring debits and credits.

What the exposed documents and forms contained

A sample review of 55,000 documents by UpGuard revealed more than half reference Aye Finance, a nonbank lender with no public investor information.

State-owned State Bank of India also comes up repeatedly. The files look to contain NACH mandate and transaction paperwork — the sort of arcanum that inhabits deep back office workflows, but are replete with personal identity and financial information.

These forms will have details such as names, addresses, bank account number and branch code (prefix), mobile numbers and amounts to be credited or debited! In the wrong hands, that piece of information can be used to commit identity theft, social engineering or for fraudulent mandate creation, even when there are further controls in place around genuine bank rails.

How the leak was discovered and reported by UpGuard

UpGuard says it found the exposed Amazon S3 bucket in late August and alerted entities it thought might be related, including Aye Finance and the National Payments Corporation of India, which oversees NACH. The researchers noted that “thousands of files” were still being added each day after they made their initial outreach, indicating the existence of an ongoing process feeding new data into the public bucket.

The address of the bucket had also been listed in GrayHatWarfare, a search engine dedicated to finding publicly visible cloud storage — meaning the data was available for anyone else’s perusal aside from that of a single research group. Even so, the researchers said they weren’t able to positively identify the owner of the bucket, a common problem when third-party vendors or integrators stand between lenders and payment infrastructure.

Denials And The Question Of Responsibility

Aye Finance and NPCI both refuted that they were responsible for the exposure, while a spokesman for State Bank of India confirmed outreach but declined to comment. One outfit linked to the workflow said its logs contained no signs of unauthorized access or financial damage, highlighting how application-level monitoring can fail to guard against the wider exposure of underlying storage.

The episode is a perfect demonstration of the mutual responsibility model for cloud: Cloud providers secure their own infrastructure while it’s up to customers and partners to properly configure access controls. In financial services, where outsourcing is common practice, responsibility for data security is often a distributed responsibility across multiple firms — any one of which can prove the weakest link.

Risks to buyers and banks from exposed NACH forms

Even if they don’t hold the cores, exposed NACH documents can be used to run convincing phishing scams or sail through basic know-your-customer checks. Scammers can turn that known transaction amount and name of a lender into a weapon to deceive customers into giving up one-time passwords or agreeing to change instructions.

For banks, the fallout goes beyond any fraud. Data exposure can induce notification obligations, class-action liability and increased regulatory attention, especially if the data relates to historic events across a number of regulated entities. Previous data breaches in India exposed unsecured databases and prompted bank supervisors and the country’s national cybersecurity agency to audit and issue directives addressing those issues.

The regulatory backdrop and obligations in India

India’s Digital Personal Data Protection Act imposes obligations on data fiduciaries to protect personal data and disclose material breaches. Independent of the above, CERT-In also mandates that organizations must report certain cyber incidents six hours after detection. The Reserve Bank of India has also published cyber security guidelines for banks and non-bank lenders, as well as outsourcing and digital lending norms that hold boards and senior management responsible for vendor risk.

NPCI’s operating circular for NACH has stringent customer data handling requirements and verification processes that are mandated. If a vendor or sub-processor was implicated, contractual provisions relating to data security and breaches would be under scrutiny.

Why public cloud storage buckets keep exposing data

Misconfigurations are still the No. 1 reason data is publicly exposed in the cloud. For object storage, such as Amazon S3, threats occur when public access is made at the bucket or object level, when overly permissive access control lists exist, and in cases where automated workflows are storing sensitive files in a location not intended for public internet exposure.

Security teams can advise baseline controls such as S3 Block Public Access enabled at the account level, encryption enforced, bucket policies restricted to certain identities and networks, pre-signed URLs over public links where possible and cloud configuration tools that monitor for drift. Ongoing discovery through attack surface management and regular vendor assessments is critical in finance, where document-heavy processes frequently flow through third parties.

What to watch next as the investigation continues

Still, larger questions linger: who owned the bucket, how long the data sat exposed, whether it was accessed at scale by unauthorized parties and just how many — and which — institutions’ customers are in the cache. Clarity on attribution will decide which party will need to send breach notifications to affected individuals and regulators.

For consumers, there is a need for vigilance: track statements, examine unsolicited mandate alerts and ask questions if someone calls to verify known loan or payment information. For lenders and processors, the episode serves as a reminder that controls need to go deeper than payment rails into the documents and workflows that supply them — because attackers are moving where defenses are weakest.