A major data spill from a misconfigured Amazon S3 storage bucket exposed over 273,000 PDF documents tied to Indian bank transfers, revealing names, account numbers, transaction amounts, and contact information linked with at least 38 banking and financial institutions (including Aye Finance and the State Bank of India). The records stemmed from the National Automated Clearing House (NACH) system. The leak, which persisted from August through early September, was discovered by UpGuard, which notified affected parties and India’s CERT-In, eventually prompting Nupay (a fintech) to acknowledge responsibility for the misconfiguration—but disputing the extent of exposure and denying financial impact or misuse. Questions remain about how long the bucket was public, whether malicious actors accessed the data, and why no single entity has accepted full culpability.
Sources: UpGuard, TechCrunch
Key Takeaways
– The exposed documents originated from recurring payment mandates processed via India’s NACH system, affecting multiple banks—especially micro-lender Aye Finance and the State Bank of India.
– Nupay has taken responsibility for the leak, citing a configuration error of an S3 bucket, but strongly contests claims of widespread real data exposure, misuse, or financial harm.
– Despite closure of the leak, uncertainty looms around the duration of exposure, potential misuse, and lack of a clear, centralized accountability mechanism for cloud-based data security failures.
In-Depth
In late August 2025, researchers from cybersecurity firm UpGuard came across an alarming discovery: a publicly exposed Amazon Web Services S3 bucket containing 273,000 PDF documents connected to Indian bank transfers. The files in question were tied to the National Automated Clearing House (NACH), a bulk payments pipeline used by banks to manage recurring transactions such as salaries, utility payments, and loan repayments. Within those documents lay sensitive personal data: names, contact information, bank account numbers, and transaction amounts. Many of these materials bore the names of institutions like Aye Finance and the State Bank of India, suggesting wide exposure across the financial ecosystem.
Over the ensuing weeks, UpGuard repeatedly alerted relevant stakeholders—Aye Finance, the National Payments Corporation of India (NPCI), and India’s CERT-In—to the issue. Despite these efforts, exposure continued; UpGuard observed thousands of new files arriving daily in early September. Eventually, the leak was plugged, and Nupay, a fintech firm, stepped forward to claim responsibility, attributing the issue to a “configuration gap” in its S3 bucket. Nupay insists that most records were test or dummy data and denied unauthorized access or misuse. UpGuard, however, disputes that framing, noting that only a few hundred in their sample bore signs of dummy data and questioning how Nupay’s internal logs alone could rule out external access.
What’s especially troubling is the lack of clear accountability. NPCI has denied that its systems were breached, and none of the banks implicated have fully accepted fault. Observers are left asking: how long was the data exposed? Did someone capture and exploit it? Was there indeed serious financial or identity harm? In the era of cloud storage, misconfigurations are among the most common causes of data exposure. The incident underscores that digital infrastructure, especially for institutions handling financial data, demands vigilant security audits, stricter access controls, and clear response protocols. Until the responsible parties are clearly identified and held to account, confidence in sensitive data handling in India’s fintech and banking sectors may remain shaky.