In a significant cybersecurity lapse, a massive trove of sensitive bank transfer documents belonging to Indian customers was left publicly accessible online, exposing critical financial and personal information. The data leak, discovered by cybersecurity firm UpGuard, was traced back to an unsecured Amazon S3 storage server.
Sensitive Banking Data Left Exposed
The exposed database contained over 273,000 PDF documents related to National Automated Clearing House (NACH) transactions — a system used by banks for high-volume payments like salaries, EMIs, and utility bills. The documents revealed sensitive details such as bank account numbers, transaction amounts, and customer contact information, linked to at least 38 banks and financial institutions.
Among the documents, Aye Finance and the State Bank of India (SBI) appeared most frequently, according to UpGuard’s findings.
Leak Persisted for Weeks Despite Alerts
UpGuard researchers discovered the unsecured server in late August and immediately alerted Aye Finance, the National Payments Corporation of India (NPCI), and India’s cybersecurity agency, CERT-In. However, by early September, the server remained exposed, and new files were still being uploaded daily.
It was only after CERT-In’s involvement that the server was finally secured, though by then the data had already been indexed online, increasing the risk of unauthorized access.
Nupay Admits Responsibility but Downplays Impact
Following the exposure, Indian fintech startup Nupay confirmed that the leak originated from a misconfigured Amazon S3 bucket. The company claimed that only a “limited set of test records” was involved and that there was “no unauthorized access or misuse.”
However, UpGuard disputed Nupay’s claims, stating that most of the files contained real customer data and that Nupay had not requested the researchers’ IP logs to verify access details. Additionally, the public server’s address had been indexed on Grayhatwarfare, a database known for listing exposed cloud storage.
A Wake-Up Call for India’s Fintech Sector
The incident underscores the growing risks associated with misconfigured cloud storage and highlights the urgent need for stricter data security and compliance standards in India’s rapidly expanding fintech ecosystem.
While the breach has now been plugged, questions remain about how long the data was exposed and whether it was accessed by malicious actors — a concern that could have significant financial and legal consequences.
