When data leaked from unsecured cloud servers, hundreds of thousands of sensitive bank transfer documents were published in India, revealing account numbers, transaction numbers and personal contact details.
Researchers at cybersecurity firm Upguard discovered a publicly available Amazon host storage server in late August, containing 273,000 PDF documents related to bank transfers of Indian customers.
The published files included completed transaction forms intended for processing through National Automated Clearing House or centralized systems used by Indian banks.
The data was linked to at least 38 different banks and financial institutions, researchers told TechCrunch.
The spilled data was eventually plugged, but the researchers said they could not determine the cause of the leak.
Following the publication of this article, Indian fintech company Nupay contacted TechCrunch via email to confirm that it has “addressed the configuration gap for Amazon S3 storage buckets” including the bank transfer form.
Security of this nature is not uncommon due to human error, but it is not clear why data was made public and kept internet accessible.
Protected data, Nupay criticizes “configuration gap”
In a blog post detailing the findings, Upguard researchers said that more than half of the files mentioned the name of Indian lender AYE Finance, which applied for a $171 million IPO last year, mentioned it. According to researchers, the Indian state-owned state bank was the next institution that frequently appears in sample documents.
After discovering exposed data, UPGUARD researchers notified AYE Finance through their company, customer care, and complaints relief email addresses. The researchers also warned the NPCI government agency responsible for managing the National Payment Corporation of India or NACH.
By early September, researchers said the data was still public and thousands of files were added to exposed servers every day.
Upguard said it has warned Cert-In, an Indian computer emergency response team. The exposed data was quickly secured, researchers told TechCrunch.
Nevertheless, it remained unclear who was responsible for the lapse of security. AYE Finance and NCPI spokesman denied that they were the source of data leaks, and a spokesman for the National Bank of India acknowledged our outreach but did not provide a comment.
After publication, Nupay confirmed that it was the cause of the data leak.
Nupay co-founder and chief operating officer Neeraj Singh told TechCrunch that a “limited set of test records with basic customer details” was stored on Amazon S3 Bucket, claiming that “majority is a dummy or test file.”
The company said the logs hosted on Amazon were “confirmed that there were no unauthorized access, data leaks, misuse or financial impact.”
Upguard disputed Nupay's claims and told TechCrunch that the sampled researchers appear to contain test data or have Nupay's name on the form. Upguard added that it is unclear how Nupay's cloud logs would rule out access to Nupay's then-Amazon S3 buckets.
Upguard also noted that details about Amazon Bucket are not limited to researchers. This is because the public Amazon S3 bucket addresses were indexed by GrayHatwarfare, a searchable database that indexes publicly available cloud storage.
When asked by TechCrunch, Nupay's Singh didn't immediately say how long the Amazon S3 bucket was published on the web.
It was first published on September 25th and updated with new information from Nupay.