A misconfigured Amazon S3 storage bucket operated by Indian fintech company Nupay exposed 273,000 sensitive bank transfer documents, including account numbers, transaction details, and personal contact information of Indian customers. The leaked files linked to 38 banks and financial institutions, prominently featuring Aye Finance and State Bank of India were part of the National Automated Clearing House (NACH), India’s centralized system for high-volume transactions like salaries and loan repayments.Researchers at UpGuard discovered the publicly accessible bucket in late August 2023, noting that thousands of new files were being added daily even after initial alerts. While Nupay later claimed the exposed data was mostly ‘dummy or test records’, UpGuard disputed this, stating only a few hundred of the sampled files appeared non-sensitive. The bucket’s details were also indexed by Grayhatwarfare, a public database of unsecured cloud storage, raising concerns over potential unauthorized access.The exposure was secured in early September after interventions from CERT-In (India’s cybersecurity agency), but the incident highlighted critical lapses in cloud security protocols, risking financial fraud, identity theft, and reputational damage for affected individuals and institutions. Nupay attributed the breach to a ‘configuration gap’ but provided no clarity on the duration of exposure or evidence ruling out data misuse.
Source: https://techcrunch.com/2025/09/26/thousands-of-indian-bank-transfer-records-found-online/
TPRM report: https://www.rankiteo.com/company/nupayfintech
"id": "nup5192851092625",
"linkid": "nupayfintech",
"type": "Breach",
"date": "8/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '273,000 records (disputed: '
'Nupay claims majority were test '
'files)',
'industry': 'financial services',
'location': 'India',
'name': 'Nupay',
'type': 'fintech company'},
{'customers_affected': 'significant portion of exposed '
'records (over 50% in sampled '
'55,000 documents)',
'industry': 'financial services',
'location': 'India',
'name': 'Aye Finance',
'type': 'non-banking financial company (NBFC)'},
{'customers_affected': 'present in sampled documents '
'(frequency unspecified)',
'industry': 'banking',
'location': 'India',
'name': 'State Bank of India (SBI)',
'type': 'public sector bank'},
{'industry': 'financial services',
'location': 'India',
'name': '38 other banks and financial institutions',
'type': ['banks', 'financial institutions']},
{'industry': 'payments infrastructure',
'location': 'India',
'name': 'National Payments Corporation of India (NPCI)',
'type': 'government body'}],
'attack_vector': 'misconfigured Amazon S3 bucket (publicly accessible)',
'data_breach': {'data_encryption': 'none (data stored in plaintext PDFs)',
'data_exfiltration': 'unconfirmed (publicly accessible but no '
'evidence of unauthorized download)',
'file_types_exposed': ['PDF'],
'number_of_records_exposed': 273000,
'personally_identifiable_information': ['names',
'account numbers',
'contact details '
'(phone numbers, '
'addresses)',
'transaction amounts'],
'sensitivity_of_data': 'high (financial and personal data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial transaction records',
'bank account details',
'NACH transaction forms']},
'date_detected': '2023-08-28T00:00:00Z',
'date_publicly_disclosed': '2023-09-25T00:00:00Z',
'date_resolved': '2023-09-05T00:00:00Z',
'description': 'A misconfigured Amazon S3 storage bucket exposed 273,000 PDF '
'documents containing sensitive bank transfer details of '
'Indian customers, including account numbers, transaction '
'figures, and contact information. The data was linked to at '
'least 38 banks and financial institutions, with Aye Finance '
'and State Bank of India being the most frequently mentioned '
'in sampled documents. The leak was discovered by UpGuard in '
'late August 2023 and secured in early September after '
'notifications to affected entities and CERT-In. Fintech '
'company Nupay later confirmed responsibility, attributing the '
"incident to a 'configuration gap' but claiming most files "
'were test records. UpGuard disputed this, noting minimal test '
'data and evidence of public accessibility via Grayhatwarfare '
'indexing.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'Nupay, Aye Finance, and associated '
'banks'],
'data_compromised': ['bank account numbers',
'transaction figures',
'individuals’ contact details (names, '
'addresses, phone numbers)',
'NACH transaction forms (salaries, loan '
'repayments, utility payments)'],
'identity_theft_risk': ['high (exposed PII and financial data)'],
'payment_information_risk': ['high (exposed bank account numbers '
'and transaction details)'],
'systems_affected': ['Amazon S3 storage bucket']},
'investigation_status': 'closed (data secured; responsibility attributed to '
'Nupay)',
'lessons_learned': ['Importance of securing cloud storage configurations '
'(e.g., S3 bucket permissions).',
'Need for proactive monitoring of public-facing assets to '
'detect misconfigurations.',
'Challenges in attributing responsibility for third-party '
'data leaks in shared ecosystems (e.g., NACH).',
'Discrepancies between internal claims (e.g., Nupay’s '
'‘test data’) and independent findings highlight the need '
'for transparent investigations.'],
'post_incident_analysis': {'corrective_actions': ['Nupay secured the '
'misconfigured bucket (date '
'unspecified).',
'CERT-In involvement '
'suggests potential '
'regulatory follow-up '
'(details unclear).'],
'root_causes': ['Human error in configuring Amazon '
'S3 bucket permissions (public '
'accessibility).',
'Lack of monitoring to detect '
'unauthorized exposure of '
'sensitive data.',
'Ambiguity in data ownership '
'within the NACH ecosystem.']},
'recommendations': ['Implement automated tools to audit cloud storage '
'permissions and detect misconfigurations.',
'Conduct regular third-party security assessments for '
'critical financial data repositories.',
'Establish clearer protocols for cross-entity incident '
'response in shared payment infrastructures like NACH.',
'Enhance logging and access controls to track and '
'restrict exposure of sensitive data.'],
'references': [{'date_accessed': '2023-09-25',
'source': 'TechCrunch',
'url': 'https://techcrunch.com/2023/09/25/india-bank-transfer-data-leak/'},
{'source': 'UpGuard Research Blog'},
{'source': 'Grayhatwarfare (public bucket index)',
'url': 'https://grayhatwarfare.com/'}],
'regulatory_compliance': {'regulatory_notifications': ['CERT-In notified; '
'NPCI and affected '
'banks informed']},
'response': {'communication_strategy': ['notifications to Aye Finance, NPCI, '
'and CERT-In by UpGuard',
'public disclosure via TechCrunch '
'article',
'Nupay’s post-incident statement '
'disputing severity'],
'containment_measures': ['securing the misconfigured Amazon S3 '
'bucket'],
'incident_response_plan_activated': True,
'third_party_assistance': ['UpGuard (discovery and notification)',
'CERT-In (remediation support)']},
'stakeholder_advisories': ['NPCI and affected banks notified by UpGuard and '
'CERT-In.',
'Aye Finance and SBI contacted but denied '
'responsibility initially.'],
'title': 'Unsecured Cloud Server Exposes 273,000 Sensitive Bank Transfer '
'Documents in India',
'type': ['data breach', 'unsecured cloud storage', 'misconfiguration'],
'vulnerability_exploited': 'improper access controls (configuration gap in S3 '
'bucket permissions)'}