An unsecured Amazon cloud server exposed 2.73 lakh (273,000) bank transaction records, including unredacted bank account numbers, transaction amounts, names, phone numbers, and email addresses of customers. The leaked data, formatted per National Automated Clearing House (NACH) standards, originated from 38 banks and NBFCs, with Aye Finance accounting for 59.63% of the exposed files. While no KYC, Aadhaar, or PAN details were compromised, the breach involved sensitive financial transaction data linked to individuals and institutions. The misconfiguration was traced to an integration partner managing ACH mandates, but no entity took responsibility. The server was secured only after UpGuard’s intervention and escalation to CERT-In, with delays in response from affected parties. The leak posed risks of financial fraud, identity theft, and reputational damage to both customers and financial institutions involved.
TPRM report: https://www.rankiteo.com/company/aye-finance-ltd
"id": "aye0302903092825",
"linkid": "aye-finance-ltd",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '59.63% of 2.73 lakh records '
'(~162,839 records)',
'industry': 'financial services',
'location': 'India',
'name': 'Aye Finance',
'type': 'Non-Banking Financial Company (NBFC)'},
{'customers_affected': '24.22% of 2.73 lakh records '
'(~66,106 records)',
'industry': 'banking',
'location': 'India',
'name': 'State Bank of India (SBI)',
'type': 'public sector bank'},
{'customers_affected': '13.31% of 2.73 lakh records '
'(~36,342 records)',
'industry': 'financial services',
'location': 'India',
'name': 'Muthoot Capital',
'type': 'non-bank lender'},
{'customers_affected': '11.13% of 2.73 lakh records '
'(~30,420 records)',
'industry': 'banking',
'location': 'India',
'name': 'Bank of Baroda',
'type': 'public sector bank'},
{'customers_affected': '10.6% of 2.73 lakh records '
'(~28,938 records)',
'industry': 'banking',
'location': 'India',
'name': 'Punjab National Bank (PNB)',
'type': 'public sector bank'},
{'customers_affected': 'remaining ~1.1% of records '
'(~3,025 records)',
'industry': 'financial services',
'location': 'India',
'name': '33 other banks/non-bank lenders',
'type': ['banks', 'non-bank lenders']}],
'attack_vector': 'misconfigured Amazon cloud storage bucket (unsecured S3 '
'bucket)',
'data_breach': {'data_encryption': 'no (files were unredacted and '
'unencrypted)',
'data_exfiltration': 'yes (files were accessible online; '
'55,000 files downloaded by UpGuard for '
'analysis)',
'file_types_exposed': ['ACH mandate applications (unsigned)',
'bank transaction records'],
'number_of_records_exposed': 273000,
'personally_identifiable_information': ['names',
'phone numbers',
'email addresses'],
'sensitivity_of_data': 'high (banking details + PII, but no '
'KYC/Aadhaar/PAN per integration '
'partner)',
'type_of_data_compromised': ['financial records (bank '
'transfers)',
'personally identifiable '
'information (PII)',
'contact information']},
'date_detected': '2023-08-26',
'date_publicly_disclosed': '2023-09-04',
'date_resolved': '2023-09-04',
'description': 'An unsecured Amazon cloud server leaked over 2.73 lakh '
'(273,000) bank transfer records, exposing critical data '
'including names, banking details (unredacted bank account '
'numbers, transaction amounts), and contact information (phone '
'numbers, email addresses). The files were formatted per '
'National Automated Clearing House (NACH) requirements, a '
'system managed by the National Payments Corporation of India '
'(NPCI). The leak affected 38 banks and non-bank lenders, with '
'Aye Finance (NBFC) accounting for 59.63% of exposed records. '
'NPCI confirmed the breach did not originate from its systems. '
'The misconfigured server was secured by UpGuard after '
'notifications to Aye Finance, NPCI, and CERT-In went '
'unaddressed. The exposed data included unsigned ACH mandate '
'applications but no KYC, Aadhaar, PAN, or other sensitive '
'identifiers, per the integration partner.',
'impact': {'brand_reputation_impact': 'high (due to exposure of sensitive '
'financial data and lack of '
'accountability from affected entities)',
'data_compromised': ['bank account numbers (unredacted)',
'transaction amounts',
'individuals’ names',
'phone numbers',
'email addresses',
'ACH mandate applications (unsigned)'],
'identity_theft_risk': 'high (exposed PII + banking details)',
'legal_liabilities': 'potential regulatory scrutiny under India’s '
'data protection laws (e.g., Digital Personal '
'Data Protection Act, 2023)',
'operational_impact': 'potential fraud risk due to exposed banking '
'details; reputational damage to affected '
'institutions',
'payment_information_risk': 'high (unredacted bank account numbers '
'and transaction data)',
'systems_affected': ['Amazon cloud server (S3 bucket)']},
'investigation_status': 'ongoing (no entity has accepted responsibility as of '
'disclosure)',
'lessons_learned': ['Misconfigured cloud storage buckets pose significant '
'risks to financial data.',
'Lack of accountability among multiple stakeholders '
'(banks, NBFCs, integration partners) can delay incident '
'response.',
'Proactive monitoring by third-party cybersecurity firms '
'(e.g., UpGuard) can mitigate prolonged exposures.',
'NACH ecosystem vulnerabilities highlight the need for '
'stricter access controls and audits across all '
'participating entities.'],
'post_incident_analysis': {'corrective_actions': ['Bucket secured by UpGuard '
'(2023-09-04).',
'Vendor (integration '
'partner) claimed to have '
'identified the '
"misconfiguration 'a few "
"weeks prior' but did not "
'act.'],
'root_causes': ['Misconfigured Amazon S3 bucket '
'(lack of authentication/access '
'controls).',
'Failure to monitor cloud storage '
'for unauthorized access.',
'Delayed response from affected '
'entities despite notifications.']},
'recommendations': ['Implement strict access controls and authentication for '
'cloud storage (e.g., AWS S3 buckets).',
'Conduct regular security audits for third-party vendors '
'managing financial data.',
'Establish clear incident response protocols with defined '
'responsibilities for multi-party ecosystems like NACH.',
'Enhance transparency in breach disclosures to maintain '
'customer trust.',
'Adopt automated tools to detect and remediate '
'misconfigurations in real-time.'],
'references': [{'source': 'UpGuard Blog Post'},
{'source': 'TechCrunch'},
{'source': 'Economic Times (ET)'},
{'source': 'NPCI Statement'}],
'regulatory_compliance': {'regulations_violated': ['potential violations of '
'India’s Digital Personal '
'Data Protection Act '
'(DPDP), 2023',
'NACH/NPCI compliance '
'requirements'],
'regulatory_notifications': ['CERT-In notified '
'(2023-09-03)']},
'response': {'communication_strategy': ['notifications to Aye Finance '
'(2023-08-27, 2023-08-28), NPCI '
'(2023-08-29), and CERT-In '
'(2023-09-03)'],
'containment_measures': ['securing the exposed Amazon S3 bucket '
'(by UpGuard on 2023-09-04)'],
'incident_response_plan_activated': 'yes (by UpGuard, not the '
'affected entities)',
'third_party_assistance': ['UpGuard (discovery and '
'containment)']},
'stakeholder_advisories': ['NPCI clarified its systems were not compromised; '
'Aye Finance blamed a vendor misconfiguration.'],
'title': 'Unsecured Cloud Server Leak Exposes 2.73 Lakh Bank Transfer Records '
'in India',
'type': ['data breach',
'cloud misconfiguration',
'unauthorized data exposure'],
'vulnerability_exploited': 'improper access controls / lack of authentication '
'for cloud storage'}