Data breach leaks sensitive bank records

Researchers at cybersecurity firm UpGuard discovered in late August a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers

Our Bureau Published 28.09.25, 12:09 PM

Representational image Sourced by the Telegraph

A data spill from an unsecured cloud server has exposed hundreds of thousands of sensitive bank transfer documents in India, revealing account numbers, transaction figures and contact details, website TechCrunch reported.

Researchers at cybersecurity firm UpGuard discovered in late August a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers.

The exposed files contained completed transaction forms intended for processing via the National Automated Clearing House (NACH), a centralised system used by banks in India to facilitate high-volume recurring transactions, such as salaries, loan repayments and utility payments.

The data was linked to at least 38 different banks and financial institutions, the researchers told TechCrunch.

The spilling data was eventually plugged, but the researchers said they could not identify the source of the leak.

Indian fintech company Nupay reached out to TechCrunch by email to confirm that it “addressed a configuration gap in an Amazon S3 storage bucket” that contained the bank transfer forms.

Nupay’s co-founder and chief operating officer, Neeraj Singh, told TechCrunch that a “limited set of test records with basic customer details” was stored in the Amazon S3 bucket and claimed “a majority were dummy or test files.”

UpGuard disputed Nupay’s claims, telling TechCrunch that only a few hundred of the thousands of files its researchers sampled appeared to contain test data or had Nupay’s name on the forms.

It’s not clear why the data was left publicly exposed and accessible to the Internet, though security lapses of this nature are not uncommon due to human error.

In a blog post, the UpGuard researchers said that out of a sample of 55,000 documents they looked at, more than half of the files mentioned the name of Indian lender Aye Finance. State Bank of India was the next institution to appear by frequency in the sample documents, according to the researchers.

After discovering the exposed data, UpGuard’s researchers notified Aye Finance and also alerted the National Payments Corporation of India (NPCI), the government body managing NACH.

By early September, the researchers said the data was still exposed and that thousands of files were being added to the exposed server daily.

UpGuard said it then alerted India’s computer emergency response team, CERT-In. The data was secured shortly after, the researchers told TechCrunch.

Data breach leaks sensitive bank records

Researchers at cybersecurity firm UpGuard discovered in late August a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers

RELATED TOPICS

Vijay was supposed to come at 12, but arrived at 7.40 PM; people waited under hot sun: DGP

‘Pakistan-link’ lens on Wangchuk: Big question mark on him, Ladakh DGP says

Plastic pain & penance: Waste disrupts KMC pumping stations, drainage delayed

It’s scary to think that India, Pakistan are almost on a par when it comes to fighter jets

BJP’s discovery of Jyotiba Phule: Critics slam attempt at appropriation of Bahujan icon

UP maulana calls for 'I love Muhammad' march, arrested in Bareilly after police-mob clash

DSLRs and dreams: Filmmakers chronicle riverine cultures, life at the three-day Nadi Utsav

With Sashthi around the corner, here's your guide to a safe and joyous Durga Puja

Panchami crowd baffles police, bumper-to-bumper traffic on roads across Calcutta

Pakistan, China, Russia, Iran oppose foreign military bases in and around Afghanistan

Trump drops 100% tariff bomb on branded drugs as India’s generics industry watches

Sonam Wangchuk key instigator in Leh violence, being probed for Pakistan links