A leak of data from an unsecured cloud server has exposed hundreds of thousands of sensitive bank transfer documents to India, revealing account numbers, trading data and contact information.
Researchers at Cybersecurity Upguard discovered in late August a public storage server hosted on Amazon containing 273,000 PDF documents on Indian customer banking.
Exposed files contained complete trading forms intended for processing through national automated cleaning, or nach, a central system They are used by banks in India to facilitate high -volume repeated transactions, such as salaries, loan repayments and utility payments.
The data was linked to at least 38 different banks and financial institutions, the researchers told TechCrunch.
The leakage data was finally linked, but the researchers said they could not locate the source of the leak.
Following the publication of this article, the Indian Fintech Company Nupay arrived at TechCrunch by email to confirm that it “turned to a configuration gap in an Amazon S3 storage bin” containing bank transport forms.
It is not clear why the data remained publicly exposed and accessible to the internet, although security of this kind are not uncommon due to the human error.
Data secured, NUPay blames the configuration gap “
In his post on the blog Analyzing his findings, UPGUARD researchers said that a sample of 55,000 documents examined, more than half of the records reported the name of Indian lender Aye Finance, which had deposited $ 171 million last year. India’s Indian State Bank was the next institution that appeared in frequency in document samples, according to researchers.
After discovering the exposed data, UPGUARD researchers shared AYE’s funding through corporate, customer service and complaints. The researchers also warned the National Payment Company in India or the NPCI, the government responsible for managing NACH.
In early September, the researchers said the data were still being exposed and that thousands of records were added to the exposed server daily.
UPGUARD said he then alerted India’s emergency team, Cert-in. The exposed data was secured shortly afterwards, the researchers told TechCrunch.
However, it remained unclear who was responsible for the delay. Representatives of Aye Finance and NCPI denied it was the source of data leakage and a representative of the state bank of India recognized our promotion, but did not comment.
After the publication, Nupay confirmed that it was the cause of data leakage.
Nupay co -founder and chief executive, Neeraj Singh, told Techcrunch that a “limited set of basic customer tests” was stored in the Amazon S3 bucket and claimed that “the majority were virtual or trial files”.
The company said the logs hosted by the Amazon “confirmed that there was no unauthorized access, data leakage, abuse or financial impact”.
Nupay’s allegations questioned Nupay’s allegations, telling TechCrunch that only a few hundred of the thousands of records showing their researchers appeared to contain test data or had Nupay’s name in the publications. UPGUARD added that it was not clear how Nupay’s cloud logs can exclude any access to NUPAY’s then-public Amazon bucket, as Nupay did not ask UPGUARD for IP addresses used to explore the data report.
UPGUARD also noted that the details of the Amazon Bucket was not limited to its researchers, as the management of the public Bucket Amazon S3 had been indexed by Grayhatwarfare, a database that could seek which publicly visible cloud storage.
When asked by TechCrunch, Nupay’s Singh did not say immediately how long the Amazon S3 bin was publicly accessible to the web.
It was first published on September 25th and updated with new information from Nupay.
