Revealing data spill from a cloud server that is not guaranteed to hundreds of thousands of sensitive bank transfer documents in India, revealing the numbers of accounts, transactions numbers and details of communication with individuals.
Researchers at Cyblessecacity discovered Upguard in late August a possible storage server by Amazon, which contains 273,000 PDF documents related to bank transfers for Indian customers.
The exposed files contained complete transaction models dedicated to processing across the National Clearing House, or Nach, a Central system Banks use them in India to facilitate large -sized repeated transactions, such as salaries, loan payment and utilities payments.
The researchers told Techcrunch: The data has been linked to at least 38 banks and financial institutions.
The leakage data was eventually connected, but the researchers said they could not determine the source of the leakage.
After publishing this article, NUPAY Indian Fintech contacted Techcrunch via email to confirm that it “treated the training gap in Amazon S3 storage” containing bank transfer models.
It is not clear why the data is left publicly and accessed on the Internet, although security lapses of this type are not uncommon due to human error.
The content of the data, Nubai blames the “training gap”
in Blog post In detail the results, researchers at Upguard said that among a sample of 55,000 documents they looked at, more than half of the files mentioned the name of the Indian lender Aye financingThat was I submitted for the public subscription of $ 171 million last year. The state -owned Indian Bank of State was the next institution that appears to be hesitant in the sample documents, according to researchers.
After discovering the open data, the researchers at Upeguard Aye Finance informed the email addresses of its companies and customer service and grievance. The researchers also alerted the National Payments Foundation in India, or NPCI, the governmental body responsible for the NACH administration.
By early September, the researchers said the data is still exposed and that thousands of files were added to the open servant daily.
Upguard said it alerted the response team to India, Cert-in. The researchers said to the open data shortly after.
Despite this, it remained unclear who was responsible for the security break. Aye Finance and NCPI spokesman denied that they were a source of data spill, and a spokesman for the State Bank in India admitted to our communication, but they did not provide the comment.
After publishing, NUPAY confirmed that it was the cause of data spill.
Neeraj Singh, co -founder of NUPAY, Neeraj Singh, Techcrunch that “a limited set of test records with the basic customer details” was stored in Amazon S3 bucket and claimed that “the majority was files or test.”
The company said that its hosted records in Amazon “confirmed that there was no unauthorized access, data leakage, misuse or financial impact.”
Upguard questioned the NUPAY claims, and told Techcrunch that only a few hundred of thousands of files taken by researchers from which samples were taken containing test data or bearing the name NUPAY on models. Upguard added that it is unclear how NUPAY Cloud can exclude any access to the NUPY Aqual Aquarius at the time, given that NUPAT has not asked his IP addresses that were used to investigate data exposure.
Upguard also pointed out that the details of the Amazon bucket were not limited to researchers, as Grayhatwarfare, a search database that violated the visible cloud storage field in general.
When asked by Techcrunch, NUPay’s Singh was not immediately mentioned how long the Amazon S3 bucket was accessible to the web.
It was first published on September 25 and was updated with new information from NUPAY.
https://techcrunch.com/wp-content/uploads/2025/09/india-cash-money-transfers-2232346772.jpg?resize=1200,800
Source link