A massive data breach has exposed 273,000 sensitive bank transfer documents from Indian customers, revealing account numbers, transaction details, and personal information across 38 financial institutions. The exposed files, discovered on an unsecured Amazon cloud server by cybersecurity firm UpGuard, contained completed transaction forms for India's National Automated Clearing House system - but nobody wants to take responsibility for the security lapse.
The discovery sends shockwaves through India's banking sector as UpGuard researchers stumbled upon what amounts to one of the largest financial data exposures in recent memory. The publicly accessible server contained completed transaction forms designed for processing through the National Automated Clearing House (NACH), India's centralized system for high-volume recurring payments like salaries and loan repayments.
What makes this breach particularly concerning is the scope - data from at least 38 different banks and financial institutions was sitting in plain sight on the internet. According to UpGuard's analysis, more than half of a 55,000-document sample referenced Aye Finance, an Indian lender that made headlines filing for a $171 million IPO last year. The State Bank of India, the country's largest public sector bank, appeared next most frequently in the exposed documents.
The timeline reveals a troubling pattern of buck-passing that's become all too common in data breach incidents. After discovering the exposed server in late August, UpGuard researchers immediately reached out to Aye Finance through multiple channels - corporate email, customer care, and grievance addresses. They also contacted the National Payments Corporation of India (NPCI), the government body overseeing NACH operations.
Weeks passed with the data still exposed. By early September, researchers watched in horror as thousands of additional files were being added to the vulnerable server daily, suggesting active use of the compromised system. Finally, UpGuard escalated to India's Computer Emergency Response Team (CERT-In), and the data was secured shortly after.
But here's where the story gets messy - nobody wants to own this disaster. NPCI spokesperson Ankur Dahiya quickly distanced his organization from the breach, telling TechCrunch that "a detailed verification and review have confirmed that no data related to NACH mandate information/records from NPCI systems have been exposed/compromised."
The finger-pointing doesn't stop there. Aye Finance co-founder and CEO Sanjay Sharma hasn't responded to requests for comment, and the State Bank of India has also remained silent. This institutional silence is particularly striking given that financial data breaches in India can trigger serious regulatory consequences under the country's data protection frameworks.
