An unsecured cloud storage server that was left open to the public internet exposed hundreds of thousands of banking documents, including loan and mortgage agreements, repayment schedules and other highly sensitive financial records. The files were stored on an Elasticsearch server, a technology used to index and search through data.
The server wasn’t protected with a password, allowing anyone who knew where to look to access the data.
It’s not known who owned the server, but the information it contained could be damaging for both the bank customers and the institutions they were signed up with — although while many of them are from Indian banks, several documents pertain directly to investment companies based in countries around the world.
The data provides a highly detailed view of a person’s finances: in particular, sensitive financial or medical information; unpaid bills; others predict buying habits as well as charging seats that represent customers’ spending abilities obtained via loans. The latter is incredibly important for so-called creditworthiness ratings which determine if newcomers can use debit or credit cards at any given time.
Source: https://blackrocknetworks.blogspot.com/2019/06/an-unsecured-cloud-storage-server.html
What Was Revealed And Why It’s Important
A publicly accessible Amazon-hosted storage bucket with at least 273,000 PDFs attached to National Automated Clearing House (NACH) transactions was uncovered by cybersecurity firm UpGuard. NACH, run by the National Payments Corporation of India, facilitates bulk transactions like salary, EMIs, insurance premium payments and utility bills.
Researchers reviewed completed documents, such as bank transfer and mandate forms. These usually include names, bank account numbers, IFSC codes that identify branches of financial institutions in India, contact details and transaction amounts — sometimes with signatures or images of cancelled cheques. In the hands of an adversary this can mean tailored phishing, tampering with mandates and even account takeover.
How Researchers Uncovered The Leak And Verified It
The open bucket was discovered by the UpGuard team during their usual internet scanning and exploration.
In a sample of 55,000 files, the name that recurrently surfaced was Aye Finance (in more than half), followed by what emerged to be the next most-cited institution in this set: the State Bank of India. The firm informed Aye Finance and NPCI after discovering the issue.
The server had apparently stayed up for days; following the initial outreach, new data continued to come in daily. That growth indicates the storage was associated with an active workflow, such as processing mandates or onboarding of customers by a third party. The ultimate owner of the bucket and the party responsible for clean-up have not been publicly identified.
Who Is Responsible, And What Happens Next
It’s not uncommon to find the handling of financial data left in the hands of partner firms — loan service providers, payment aggregators or business correspondents — and each of these might operate its own cloud environment. In previous cases around the world, misconfigured Amazon S3 buckets and other similar setups accidentally expose sensitive files without pointing fingers at the cloud provider; usual suspects include customer-side settings, weak access controls or a lack of encryption.
For now, responsibility remains murky. The documents identified Aye Finance and SBI as those contained in the files, but they may not control the infrastructure where the files were held. If a vendor or intermediary harvested and assembled the PDFs, it may be responsible for both the breach and notification of impacted persons.
Legal and Regulatory Stakes in India’s Data Laws
The Digital Personal Data Protection Act of India imposes duties on companies processing personal data and gives the Data Protection Board of India the power to investigate violations. In addition, entities must report a cybersecurity incident to CERT-In within hours of discovery and the Reserve Bank of India’s (RBI) cybersecurity framework as well as its 2023 master direction on IT governance establish expectations for banks and regulated entities regarding access controls, vendor risk management, and breach response.
If the leaked PDFs were related to banking or lending activities, then multiple watchdog agencies might get interested. Regulators are likely to scrutinize whether data minimization, encryption at rest, least-privilege access and vendor due diligence were followed — and if customers were notified promptly.
Risks For Consumers And What They Can Do
Targeted scams become more believable with leaked account and contact information. Perpetrators can even craft messages that mention actual sums, or require descriptions in order to hoodwink individuals into sharing OTPs and downloading malware. While NACH transactions are based on regulated authorizations, the plain mandate forms can allow attackers to try decoying recipients into payment scams or social-engineer bank staffers and customers.
- Turn on and review real-time SMS and email alerts.
- Check bank statements for unfamiliar debits.
- Call your bank to verify existing mandates or beneficiaries.
- If personal or account credentials were widely disclosed, consider reissuing mandates or updating login details.
- Report incidents to your bank, NPCI’s customer grievance cell and the Indian cybercrime portal.
A Larger Flaw in Cloud Security and Vendor Risk
Misconfigured storage is still one of the most common reasons why data is exposed on the internet globally. Default-deny access, bucket encryption at the bucket level and automated configuration scanning are good defences, but they’re not widely applied across rapidly evolving vendor landscapes. India’s fintech and lending ecosystem has a broad network of distributed partners playing into the onboarding and collections cycles — and this creates new attack surfaces in each integration.
This episode is yet more evidence that securing financial systems isn’t just about hardening core banking systems. It’s also a means of governance for every endpoint, script, and temporary repo that touches sensitive docs. Until that becomes table stakes, the most catastrophic breach for consumers may occur nowhere near a bank branch — and all it might take is one open bucket.
