Indian Bank Transfer Records Leaked Online - Security Breach

Data Breach Exposes Indian Banking Information

A significant data breach originating from an inadequately secured cloud server has resulted in the exposure of hundreds of thousands of confidential bank transfer records in India.

These compromised documents reveal sensitive information including account numbers, transaction amounts, and personal contact details of individuals.

Discovery of the Exposed Data

In late August, cybersecurity specialists at UpGuard identified a publicly accessible storage server hosted on Amazon.

This server contained approximately 273,000 PDF documents pertaining to bank transfers made by customers across India.

Details of the Compromised Information

The exposed files consisted of completed transaction forms designed for processing through the National Automated Clearing House (NACH).

NACH serves as a central system utilized by Indian banks to manage large-scale, recurring transactions.

These transactions encompass a wide range of financial activities, such as salary disbursements, loan installments, and bill payments.

Affected Financial Institutions

Researchers indicated to TechCrunch that the leaked data was associated with a minimum of 38 distinct banks and financial institutions.

Resolution and Source of the Leak

The vulnerability was ultimately rectified, however, the origin of the data leak remains unidentified.

After the initial report, Nupay, an Indian fintech company, contacted TechCrunch via email.

Nupay confirmed they had resolved a configuration issue within an Amazon S3 storage bucket that housed the bank transfer forms.

Potential Causes of the Breach

The reason for the data being publicly accessible is currently unclear.

However, security vulnerabilities stemming from human error are unfortunately a frequent occurrence.

Security best practices and diligent configuration management are crucial to prevent such incidents.

Data Breach Resolved: Nupay Attributes Incident to a ‘Configuration Gap’

Researchers at UpGuard detailed their findings in a blog post, revealing that over half of the 55,000 documents analyzed referenced Aye Finance, an Indian lending institution that previously filed for a $171 million IPO. The investigation indicated that the State Bank of India, a state-owned entity, was the next most frequently appearing institution within the sampled documents.

Upon discovering the exposed data, UpGuard’s team contacted Aye Finance via multiple channels – corporate, customer support, and grievance redressal email addresses. Furthermore, the National Payments Corporation of India (NPCI), the governmental body overseeing NACH, was also notified of the potential security issue.

Despite initial alerts, the data remained accessible into early September, with thousands of new files being added to the exposed server on a daily basis. This continued exposure prompted further action.

UpGuard subsequently alerted India’s Computer Emergency Response Team (CERT-In). Shortly following this notification, the exposed data was secured, as confirmed by researchers to TechCrunch.

Initially, the responsibility for the security lapse was uncertain. Representatives from both Aye Finance and NPCI denied being the source of the data spill. The State Bank of India acknowledged inquiries but refrained from providing a statement.

Following the publication of the initial report, Nupay acknowledged responsibility for the data exposure. Neeraj Singh, co-founder and COO of Nupay, explained to TechCrunch that a “limited set of test records with basic customer details” were stored within an Amazon S3 bucket.

Nupay asserted that “a majority were dummy or test files.” The company further stated that their Amazon-hosted logs indicated “no unauthorized access, data leakage, misuse, or financial impact” occurred.

UpGuard contested Nupay’s assertions, stating that only a small fraction of the thousands of files sampled appeared to be test data or explicitly identified with Nupay. They also questioned how Nupay’s cloud logs could definitively rule out access to the publicly accessible Amazon S3 bucket without requesting UpGuard’s investigation IP addresses.

It was also highlighted that the Amazon bucket’s details were not exclusive to UpGuard’s researchers. The address of the public Amazon S3 bucket had been indexed by Grayhatwarfare, a publicly searchable database of cloud storage locations.

When questioned by TechCrunch, Nupay’s Singh did not immediately disclose the duration of the Amazon S3 bucket’s public accessibility.

Originally published on September 25, and updated to include additional information provided by Nupay.