Major data breach exposed thousands of Indian bank transfer records
What's the story
A major data breach has exposed hundreds of thousands of sensitive bank transfer documents from India, according to TechCrunch. The leak, discovered by cybersecurity firm UpGuard in late August, was traced back to an unsecured Amazon-hosted storage server containing 273,000 PDF documents. The exposed files contained details such as account numbers, transaction figures, and individuals' contact information.
Breach details
Documents related to NACH transactions
The exposed documents included transaction forms meant for the National Automated Clearing House (NACH), a centralized system used by Indian banks for high-volume recurring transactions. The data breach was linked to at least 38 different banks and financial institutions in India. However, it remains unclear why this sensitive information was left publicly accessible on the internet.
Involvement
Aye Finance, SBI most frequently appearing institutions
In a sample of 55,000 documents examined by UpGuard's researchers, over half mentioned Indian lender Aye Finance. This company had filed for a $171 million IPO last year. The State Bank of India (SBI), a public sector bank, was the second most frequently appearing institution in the sample documents.
Ongoing risk
Leak notified to authorities
After discovering the leak, UpGuard's researchers notified Aye Finance and the National Payments Corporation of India (NPCI), which manages NACH. However, by early September, the data was still exposed, with thousands of files being added daily to the exposed server. UpGuard then alerted India's Computer Emergency Response Team (CERT-In), after which the exposed data was secured.
Accountability issue
No one has taken responsibility for security lapse
Despite the exposed data being secured, no one has come forward to take responsibility for the security lapse. NPCI spokesperson Ankur Dahiya said that a detailed verification and review have confirmed that no data related to NACH mandate information/records from NPCI systems have been exposed/compromised. Aye Finance co-founder and CEO Sanjay Sharma and SBI also did not respond to requests for comment on this matter, TechCrunch reports.