A Public Leak in the Cloud
In late August, cybersecurity firm UpGuard found 273,000 PDF documents exposed on a public Amazon S3 bucket. The files contained bank transfer details processed through the National Automated Clearing House (NACH), India’s key system for recurring payments like salaries, EMIs, and utility bills.
The records spanned at least 38 financial institutions and included account numbers, amounts, and contact details. UpGuard alerted the National Payments Corporation of India, CERT-In, and affected banks. The bucket was later secured — but who was responsible remains disputed.
Nupay’s Role and the Misconfigured Server
Fintech firm Nupay later admitted the bucket was theirs but claimed it contained “limited test records.” They insisted no unauthorized access or misuse occurred.
FutureCrime Summit 2026: Registrations to Open Soon for India’s Biggest Cybercrime Conference
UpGuard disagreed, saying only a fraction of the documents looked like test data, and that the bucket had been indexed by Grayhatwarfare, making it publicly searchable. Several banks, including SBI, denied responsibility or declined comment.
The Scale of Exposure
Because NACH handles recurring, high-volume payments, the leak may have exposed long-term financial obligations. Experts warn that such data could fuel phishing, identity theft, or targeted fraud, even without direct theft.
The episode highlights the risks of poor cloud configurations: one access-control mistake can spill sensitive records into the open, where automated tools quickly find them.
Toward Accountability
The bucket is now secured, but broader questions remain. Regulators like the RBI and CERT-In may need to tighten oversight of fintechs and third-party processors connected to core banking networks.
For customers, banks have offered little clarity about who was affected or what protections will follow. The incident stands as another reminder that in cloud-based finance, trust depends on vigilance — and missteps can quickly erode both.
