A leak of data from an unsecured cloud server has exposed hundreds of thousands of sensitive bank transfer documents to India, revealing account numbers, trading data and contact information.
Researchers at Cybersecurity Upguard discovered in late August a public storage server hosted on Amazon containing 273,000 PDF documents on Indian customer banking.
Exposed files contained complete trading forms intended for processing through national automated cleaning, or nach, a central system They are used by banks in India to facilitate high -volume repeated transactions, such as salaries, loan repayments and utility payments.
The data was linked to at least 38 different banks and financial institutions, the researchers told TechCrunch.
It is not clear why the data remained publicly exposed and accessible to the internet, although security losses are not uncommon due to misunderstandings and human error.
But it remains unclear who caused the data leak, which secured it and who is ultimately responsible for the warning of those whose personal data were exposed.
Data secured, but no one accepts responsibility
In his post on the blog Operating his findings, UPGUARD researchers said that from a sample of 55,000 documents, more than half of the records reported the name of Indian lender Aye Finance, which had deposited $ 171 million last year. India’s Indian State Bank was the next institution that appeared in frequency in document samples, according to researchers.
After discovering the exposed data, UPGUARD researchers shared AYE’s funding through corporate, customer service and complaints. The researchers also warned the National Payment Company in India or the NPCI, the government responsible for managing NACH.
In early September, the researchers said the data were still being exposed and that thousands of records were added to the exposed server daily.
UPGUARD said he then alerted India’s emergency team, Cert-in. Shortly afterwards, the exposed data were secured, the researchers told TechCrunch.
But no one seems to want to take responsibility for the delay.
When she arrived for comments, NPCI spokesman Ankur Dahiya told TechCrunch that exposed data did not come from her systems.
“A detailed verification and review confirmed that no/compromised data related to NACI command information/registrations have been exposed/compromised,” the spokesman said in an email sent to TechCrunch.
Aye Finance co -founder and CEO Sanjay Sharma did not respond to a request for comments from TechCrunch. India’s state bank also did not respond to a request for comments.
