By Sayan Sen

Copyright yourstory

Lakhs of bank transfers involving Aye Finance, State Bank of India, Punjab National Bank and dozens of other institutions were leaked after a cloud storage bucket was left unsecured and open to the public, with its origin still untraced.

The breach, discovered by US cybersecurity firm UpGuard, contained more than 273,000 PDF documents stored in an Amazon Web Services cloud bucket. The files revealed sensitive banking information from transactions processed through National Automated Clearing House (NACH), a bulk payments platform used for recurring transactions like loan payments and utility bills.

The trove, an Amazon cloud bucket, wasn’t just static old files. Researchers found roughly 3,000 new files were being added daily, many revealing bank account numbers, transaction amounts, and in numerous cases, the names, phone numbers, and email addresses of customers.

Because every document carried the metadata title “NACH MANDATE,” UpGuard initially assumed the National Payments Corporation of India could trace the source. On August 29, the firm wrote to NPCI, urging it to identify the bucket owner.

Nearly a month later, NPCI’s Computer Security Incident Response Team replied that its systems had not been breached. “A detailed verification and review have confirmed that no data related to NACH mandate information/records from NPCI systems have been exposed/compromised,” the agency wrote. “The data in question does not belong to NPCI.”

A leak from NPCI’s infrastructure was unlikely, since the distribution of banks in the exposed files skewed heavily toward one lender rather than reflecting the overall market share UpGuard said in its Blogpost. NPCI’s denial confirmed the breach originated elsewhere.

Although 38 banks and financial institutions appeared in the sample set, one stood out: micro-enterprise lender Aye Finance, which was present in nearly 60% of the documents.

Attribution remains unresolved, as neither NPCI nor any of the institutions named in the documents has claimed ownership of the exposed cloud bucket.

The news comes after Aye Finance Ltd received the green light from the Securities and Exchange Board of India (SEBI) to proceed with its initial public offering (IPO). Gurugram-based non-banking financial company (NBFC) Aye Finance is targeting Rs 1,450 crore in its public debut.

In recent months, the Reserve Bank of India (RBI) has made a case for adopting risk-based supervision, zero-trust approaches, and AI-aware defence strategies to tackle online fraud and boost cybersecurity resilience in the financial sector.

The central bank flagged that phishing and social engineering attacks are evolving through generative AI-powered methods, such as deepfakes and contextual fraud. “The expanding scale of digital financial services, cloud-based infrastructure and interconnected systems across sectors has exponentially increased the cyberattack surface,” said the RBI’s bi-annual Financial Stability Report.

It further said that given the systemic interconnectedness of financial entities and technology service providers, ensuring cyber resilience is critical to maintaining trust, stability and business continuity. As organisations increasingly depend on third-party service providers for their business operations, vulnerabilities in the supply chain could pose systemic risk.

Furthermore, the RBI said the overreliance on a few major IT and cloud service providers has created dependency and vendor lock-in problems, leading to concentration risks. Vulnerability in one system can quickly propagate across networks, affecting multiple entities, the report said.
(Edited by Jyoti Narayan)