A major data breach in India has reportedly exposed more than 273,000 bank transfer records in PDF form, which were found on an unsecured Amazon Web Services (AWS) server accessible to anyone with the correct link. The files contained completed transaction forms that were meant to be processed through the National Automated Clearing House (NACH), India’s centralized system for high-volume recurring payments. These include routine transactions like salaries, loan repayments, insurance premiums, and utility bills. The breach was first uncovered by cybersecurity firm UpGuard.
The exposure is considered significant because, according to the report, these records included sensitive details like account numbers, transaction amounts, and personal contact information (like names, phone numbers, and email addresses), putting thousands of individuals at potential risk of fraud and identity theft.
Even researchers noted that the exposed files were not static, with around 3,000 new files being added daily. Each PDF carried the metadata title ‘NACH MANDATE’, initially suggesting a possible connection to the National Payments Corporation of India (NPCI). UpGuard also reported that on August 29, it contacted NPCI, urging the agency to trace the origin of the leaked cloud storage bucket. And nearly a month later, NPCI’s Computer Security Incident Response Team clarified that its systems had not been breached.
The breach affected customers of at least 38 banks and financial institutions across India. Among the most frequently appearing organizations (present in about 60% of the documents) was Aye Finance, a Google-backed micro-enterprise lender that had filed for a $171 million IPO in December 2024. Apart from Aye Finance, some other large institutions (including the State Bank of India, Punjab National Bank and other big names) were also included in the leak.
Each file contained extensive details of financial transactions, meaning that anyone accessing the data could potentially link individual bank accounts to personal identities. The report further indicates that, by early September, the data were still publicly accessible, but subsequent interventions secured it.
However, despite the severity of the exposure, it remains unclear why the data was left publicly accessible. Generally, such leaks are caused by a misconfigured cloud server, a type of human error that is often preventable with standard security practices. Earlier, millions of Indian citizens’ personal data were reportedly exposed online for several years due to a misconfiguration in the government cloud service S3WaaS. Importantly, until now, neither NPCI nor any of the banks or companies whose data appeared in the bucket has claimed ownership of the exposed files.
The Tech Portal is published by Blue Box Media Private Limited. Our investors have no influence over our reporting. Read our full Ownership and Funding Disclosure →
