A recent data exposure incident has raised alarms in India’s financial sector, after hundreds of thousands of sensitive bank transfer documents were found accessible online due to an unsecured cloud server. The leak revealed account numbers, transaction amounts, and customer contact details.

Discovery of the breach

Cybersecurity researchers at UpGuard identified the issue in late August, when they found a publicly accessible Amazon-hosted storage bucket containing approximately 273,000 PDF documents related to Indian bank transfers. These files were forms used for processing transactions through the National Automated Clearing House (NACH), a system that handles large volumes of recurring payments such as salaries, utility bills, and loan repayments.

According to the researchers, the exposed data was tied to at least 38 different banks and financial institutions. Although the leak was eventually secured, the initial source of the exposure was unclear.

Nupay confirms responsibility

Following the publication of the incident, Indian fintech company Nupay acknowledged that the exposed files originated from one of its Amazon S3 buckets, citing a “configuration gap” as the cause. The company stated that the records included only “a limited set of test files,” with most of them being dummy data. Nupay further claimed there was no evidence of unauthorized access, misuse, or financial impact.

However, UpGuard disputed this explanation, noting that most of the thousands of documents analyzed contained real customer data and references to multiple financial institutions. The researchers also questioned how Nupay could confirm no access had occurred, given that the public bucket was indexed on Grayhatwarfare, a database cataloging exposed cloud storage.

Impact and response

Among the exposed files, more than half referenced Aye Finance, an Indian lender that filed for a $171 million IPO last year. Documents from the State Bank of India, one of the country’s largest state-owned banks, were also included in the sample analyzed.

UpGuard attempted to notify Aye Finance, the National Payments Corporation of India (NPCI)—which oversees NACH—and eventually escalated the case to India’s CERT-In cybersecurity response team. The exposed data remained publicly accessible until early September, when action was finally taken to secure the server.

Broader implications

Although Nupay has since closed the exposure, the incident underscores the persistent risks of cloud misconfigurations, a leading cause of sensitive data leaks worldwide. With cloud storage becoming central to financial operations, ensuring proper security configurations is critical for preventing large-scale exposures.

This case serves as another reminder that human error in cloud management can create vulnerabilities, and that proactive monitoring and observability are essential for safeguarding financial data at scale.

Source: https://techcrunch.com/2025/09/26/thousands-of-indian-bank-transfer-records-found-online