When data leaked from unsecured cloud servers, hundreds of thousands of sensitive bank transfer documents were published in India, revealing account numbers, transaction numbers and personal contact details.
Researchers at cybersecurity firm Upguard discovered a publicly available Amazon host storage server in late August, containing 273,000 PDF documents related to bank transfers of Indian customers.
The published files included completed transaction forms intended for processing through National Automated Clearing House or centralized systems used by Indian banks.
The data was linked to at least 38 different banks and financial institutions, researchers told TechCrunch.
Security revocation of this nature is not uncommon due to false or human error, but it is not clear why data has been made public and accessible to the Internet.
But it remains unclear who is responsible for warning people who leaked data, who secured it, and who is responsible for warning people whose personal data is public.
Data is secured, but no one accepts the blame
In a blog post detailing its findings, Upguard said that out of a sample of 55,000 documents, more than half of the files mentioned the name of Indian lender AYE Finance, which applied for an IPO of $171 million last year. According to researchers, the Indian state-owned state bank was the next institution that frequently appears in sample documents.
After discovering exposed data, UPGUARD researchers notified AYE Finance through their company, customer care, and complaints relief email addresses. The researchers also warned the NPCI government agency responsible for managing the National Payment Corporation of India or NACH.
By early September, researchers said the data was still public and thousands of files were added to exposed servers every day.
Upguard said it has warned Cert-In, an Indian computer emergency response team. Shortly afterwards, exposed data was secured, researchers told TechCrunch.
However, it appears that they do not want to be held responsible for the lapse of security.
When the comments were reached, NPCI spokesman Ankur Dahiya told TechCrunch that the exposed data was not available from the system.
“Detailed verification and review confirm that data related to NACH has not been published/infringed information/records from the NPCI system,” the spokesman said in an email sent to TechCrunch.
Sanjay Sharma, co-founder and CEO of AYE Finance, did not respond to requests for comment from TechCrunch. The National Bank of India also did not respond to requests for comment.