Unsecured cloud server exposes Indian bank transfer records

Cybersecurity firm UpGuard has revealed that over 273,000 PDF files containing sensitive financial records were left accessible online through an unsecured Amazon-hosted server, exposing bank transfer details from customers across India, according to TechCrunch.

The repository contained files with account numbers, contact details, transaction amounts, and completed payment forms that were meant to be processed through India's National Automated Clearing House. The system is used for recurring payments such as utility bills, wages, and loan installments.

At least 38 banks and financial institutions were referenced in the data, with the State Bank of India and Aye Finance appearing most frequently in the sample examined by the researchers. The exposure was reported to Aye Finance and the National Payment Corporation of India.

The exposed server was still growing in early September and was only secured after the exposure was escalated to Indias cybersecurity response agency CERT-In. Following the publication of the findings, Indian fintech firm Nupay admitted responsibility, stating the exposure was due to a configuration gap in an Amazon S3 storage bucket.

Nupay co-founder and Chief Operating Officer Neeraj Singh also noted that the majority of the files were test files and test records with basic customer details. UpGuard contested the claims, noting only a few hundred appeared to contain test data.

The company also questioned how Nupay could confirm that no one had accessed the public bucket since it had not requested UpGuards IP addresses used during the investigation.