A critical data breach exposed over 2,73,000 sensitive bank transfer documents in India due to an unsecured Amazon S3 server managed by fintech firm Nupay. The leak, discovered by cybersecurity firm UpGuard, revealed highly confidential financial data, including account numbers, transaction details, and contact information tied to 38 banks. Nupay later acknowledged responsibility, attributing the incident to a 'configuration gap' in their cloud storage setup. The exposed data poses severe risks of financial fraud, identity theft, and reputational damage for affected customers and institutions. The breach underscores vulnerabilities in third-party financial service providers and the critical need for robust cybersecurity measures in handling sensitive banking data. Regulatory scrutiny and potential legal repercussions may follow, given the scale and sensitivity of the compromised information.

A misconfigured Amazon S3 storage bucket operated by Indian fintech company Nupay exposed 273,000 sensitive bank transfer documents, including account numbers, transaction details, and personal contact information of Indian customers. The leaked files—linked to 38 banks and financial institutions, prominently featuring Aye Finance and State Bank of India—were part of the National Automated Clearing House (NACH), India’s centralized system for high-volume transactions like salaries and loan repayments.Researchers at UpGuard discovered the publicly accessible bucket in late August 2023, noting that thousands of new files were being added daily even after initial alerts. While Nupay later claimed the exposed data was mostly ‘dummy or test records’, UpGuard disputed this, stating only a few hundred of the sampled files appeared non-sensitive. The bucket’s details were also indexed by Grayhatwarfare, a public database of unsecured cloud storage, raising concerns over potential unauthorized access.The exposure was secured in early September after interventions from CERT-In (India’s cybersecurity agency), but the incident highlighted critical lapses in cloud security protocols, risking financial fraud, identity theft, and reputational damage for affected individuals and institutions. Nupay attributed the breach to a ‘configuration gap’ but provided no clarity on the duration of exposure or evidence ruling out data misuse.