A critical data breach exposed over 2,73,000 sensitive bank transfer documents in India due to an unsecured Amazon S3 server managed by fintech firm Nupay. The leak, discovered by cybersecurity firm UpGuard, revealed highly confidential financial data, including account numbers, transaction details, and contact information tied to 38 banks. Nupay later acknowledged responsibility, attributing the incident to a 'configuration gap' in their cloud storage setup. The exposed data poses severe risks of financial fraud, identity theft, and reputational damage for affected customers and institutions. The breach underscores vulnerabilities in third-party financial service providers and the critical need for robust cybersecurity measures in handling sensitive banking data. Regulatory scrutiny and potential legal repercussions may follow, given the scale and sensitivity of the compromised information.
TPRM report: https://www.rankiteo.com/company/nupayfintech
"id": "nup4762547092725",
"linkid": "nupayfintech",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2,73,000+ (records exposed '
'across 38 banks)',
'industry': 'financial services',
'location': 'India',
'name': 'Nupay',
'type': 'fintech firm'},
{'industry': 'banking/financial services',
'location': 'India',
'name': '38 unnamed banks',
'type': 'banks'}],
'attack_vector': 'unsecured cloud storage (Amazon S3)',
'data_breach': {'data_encryption': 'no (data was unsecured)',
'data_exfiltration': 'yes (data was exposed publicly)',
'file_types_exposed': ['bank transfer documents'],
'number_of_records_exposed': '2,73,000+',
'personally_identifiable_information': 'yes (account numbers, '
'contact information)',
'sensitivity_of_data': 'high (financial and personal data)',
'type_of_data_compromised': ['financial records',
'personal identifiable '
'information (PII)']},
'description': 'A major data breach exposed over 2,73,000 sensitive bank '
'transfer documents in India due to an unsecured Amazon S3 '
'server. The leak revealed account numbers, transaction '
'details, and contact information linked to 38 banks. Fintech '
'firm Nupay later admitted responsibility, attributing the '
"incident to a 'configuration gap'. The breach was discovered "
'by cybersecurity firm UpGuard.',
'impact': {'brand_reputation_impact': 'high (due to exposure of sensitive '
'financial data)',
'data_compromised': ['account numbers',
'transaction details',
'contact information'],
'identity_theft_risk': 'high (due to exposure of PII and financial '
'data)',
'payment_information_risk': 'high (account numbers and transaction '
'details exposed)',
'systems_affected': ['Amazon S3 server']},
'investigation_status': 'discovered by UpGuard; Nupay admitted responsibility',
'post_incident_analysis': {'root_causes': ['configuration gap in Amazon S3 '
'server']},
'references': [{'source': 'Trak.in', 'url': 'https://trak.in/tag/today'}],
'response': {'communication_strategy': ['public admission by Nupay'],
'remediation_measures': ['securing the unsecured Amazon S3 '
'server (assumed)'],
'third_party_assistance': ['UpGuard (discovery)']},
'title': 'Major Data Breach Exposes 2,73,000 Sensitive Bank Transfer '
'Documents in India via Unsecured Amazon S3 Server',
'type': ['data breach', 'misconfiguration'],
'vulnerability_exploited': 'configuration gap in Amazon S3 server'}