Sensitive Bank Details of Thousands of Indians Left Publicly Accessible Online

Published Date: September 29, 2025
Category: ShadowOpsIntel
Share:

In late August 2025, researchers from UpGuard uncovered an unsecured Amazon S3 bucket leaking over 273,000 sensitive Indian banking transaction documents linked to the NACH. The documents exposed account numbers, transaction details, and personal identifiers from 38 banks and financial institutions. Initially, the source was unknown. However, following media coverage, Indian fintech company Nupay admitted responsibility, citing a “configuration gap” in their cloud storage. Despite Nupay’s claims that many files were test data, UpGuard emphasized that the majority were real, active banking transaction forms, making this one of the most severe financial data exposures in India in 2025.

Severity: High

Incident Overview

1. Discovery & Timeline:

  • Aug 26, 2025: UpGuard identified the public S3 bucket with ~273K transaction files.
  • Aug 27–29: Notifications sent to Aye Finance and NPCI.
  • Sep 2: Escalated to CERT-IN due to continuous data growth (~3,000 new files daily).
  • Sep 4: Bucket secured.
  • Sep 24: NPCI confirmed leak did not originate from their systems.
  • Sep 26: Nupay confirmed to TechCrunch that it was responsible due to a cloud misconfiguration.

2. Nature of Exposure:

  • Data consisted of NACH mandate PDFs, used for processing bulk financial transactions.
  • Each file documented a transaction with bank account numbers, transaction dates, amounts, validity, and in many cases names, emails, and phone numbers.
  • Metadata indicated “NACH MANDATE.cdr,” though filenames varied.
  • Data was live and valid, increasing fraud risk.

3. Attribution

Nupay (Fintech, India) later acknowledged the incident, citing:

  • Misconfigured S3 bucket with “test data.”
  • Claimed most were dummy files.
  • Asserted no evidence of unauthorized access.

Disputed by UpGuard:

  • Majority of sampled 55,000 files were genuine, not test.
  • Data was indexed in Grayhatwarfare, making it publicly searchable.

4. Affected Institutions

  • Most impacted: Aye Finance (~60% of records, ~33K documents).
  • Other major institutions: State Bank of India, Punjab National Bank, Bank of Baroda, ICICI, HDFC.
  • In total: 38 banks and financial institutions were affected.

5. Risks & Impact:

Exposure of account details and PII creates opportunities for:

  • Bank fraud (unauthorized transactions, phishing).
  • Identity theft leveraging exposed phone numbers and emails.
  • Mass exploitation using automation/LLMs to process exposed PDFs into usable fraud data.

Recommendations

  1. Enforce strict access controls on all cloud storage (default private, not public).
  2. Implement continuous cloud misconfiguration monitoring tools (e.g., CSPM, CAASM).
  3. Mandate automated alerts for public exposure of sensitive storage buckets.
  4. Ensure encryption at rest and in transit for all sensitive financial transaction data.
  5. Apply data minimization ensure test environments use anonymized or synthetic data only.
  6. Provide awareness campaigns warning of phishing attempts that may leverage leaked details.

Source:

  • https://www.upguard.com/breaches/india-bank-transfers-data-leak
  • https://techcrunch.com/2025/09/26/thousands-of-indian-bank-transfer-records-found-online/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.