Cloud Misconfiguration exposes 273,000 records of Indian bank transfer records
Learn More
A data leak in India's financial sector exposed hundreds of thousands of sensitive banking documents after a cloud storage misconfiguration left transaction data publicly accessible on the internet.
The incident was discovered by cybersecurity researchers at UpGuard in late August 2025. The exposed dataset contained 273,160 PDF documents totaling 210GB of data, all related to bank transfers processed through India's centralized NACH system.
These transaction forms were stored in a publicly accessible Amazon S3 cloud storage bucket, making them available to anyone with knowledge of the bucket's address. The breach affected customers from at least 38 different banks and financial institutions across India, with new files being added to the exposed repository at a rate of approximately 3,000 documents per day.
The exposed documents contained:
- Account holder names and contact details
- Bank account numbers and branch codes
- Transaction amounts and validity periods
- Phone numbers and email addresses
- Social Security equivalent numbers
- Financial institution identifiers and bank codes
- Transaction dates and processing details
The number of affected individuals has not been disclosed.
Following media coverage, Indian fintech company Nupay confirmed it was responsible for the data exposure, attributing the incident to "a configuration gap in an Amazon S3 storage bucket." Nupay's co-founder Neeraj Singh claimed the exposed data consisted primarily of "test records with basic customer details" and "dummy or test files".
UpGuard disputed these claims, stating that only a small fraction of the sampled files appeared to contain test data. Analysis of a sample of 55,000 documents revealed that nearly 60% of the files mentioned Aye Finance, a micro-enterprise lender that had filed for a $171 million IPO. The State Bank of India, the country's largest state-owned bank, was the second most frequently mentioned institution in the leaked documents. Other major financial institutions affected included Punjab National Bank, Bank of Baroda, Unity Small Finance Bank, Axis Bank, and HDFC Bank.
