Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Imagine a folder in the cloud that anyone with the link can open, and inside are hundreds of thousands of completed bank transfer forms: account numbers, transaction amounts, names, phone numbers and email addresses. That’s exactly what security researchers found when they discovered an unsecured Amazon-hosted storage bucket containing roughly 2.73 lakh individual transaction files formatted for India’s National Automated Clearing House (NACH).

An investigation by cybersecurity firm UpGuard uncovered the exposed server on August 26; their sample analysis showed many files contained unredacted account numbers and contact details. The exposed dataset spanned 38 banks and non-bank lenders, and one small NBFC — Aye Finance — accounted for nearly 60% of the records in the sample. UpGuard notified affected parties and escalated the matter to NPCI and India’s CERT-In; the exposed bucket was reported secured in early September.

The leak was not from NPCI’s systems, the authority clarified after a review, but the dataset contained documents formatted to NACH requirements and listed many lenders and originators. UpGuard’s sample placed Aye Finance at the largest share of exposed documents; other lenders named in public reporting include State Bank of India, Muthoot Capital, Bank of Baroda and Punjab National Bank. Public statements so far have focused on a likely vendor or integration misconfiguration along the NACH chain rather than a direct breach of a single large bank’s core systems. 

Two facts raise the stakes beyond the raw numbers. First, these were not hashed or redacted PDFs — they were completed forms with live account numbers and contact details, which materially increases fraud and social-engineering risk for affected individuals. Second, the exposure highlights supply-chain risk: systems that sit between banks, NPCI and originators (vendors, integrators, cloud managers) can introduce vulnerabilities that affect dozens of institutions at once. That makes incident response and attribution messy, and it slows remediation — which is exactly what the UpGuard timeline showed.

A short timeline:

• Discovery by UpGuard: Aug 26 (researchers downloaded a 55,000-file sample for analysis).
• Notification to an affected NBFC: Aug 27–28.
• Escalation to NPCI: Aug 29; contact with CERT-In followed.
• Bucket secured: early September.
  This sequence illustrates a common pattern: discovery by third-party researchers, attempts to notify multiple stakeholders, then a delayed but decisive containment step.

What organisations should do right now:

1. Treat vendor integrations as first-class risks. Contracts, inventories and technical audits must cover cloud storage configurations and access control for every integration partner.
2. Harden cloud storage immediately. For Amazon S3 (and equivalent object stores) enable Block Public Access, enforce TLS-only uploads/downloads, use server-side encryption, and run S3 Access Analyzer / similar tools to detect overly permissive policies. 
3. Enforce least-privilege IAM and rotate temporary credentials. Remove wildcard policies and periodically review roles used by vendors and automation. 
4. Log, monitor and retain evidence. Maintain audit trails and alerts so an exposed bucket is detected quickly; follow CERT-In guidance on incident response and reporting timelines. 
5. Plan clear customer communications and remediation. If personal data is exposed, prepare timely notifications, support for fraud monitoring, and a transparent incident disclosure.
6. Assume the supply chain can be the weakest link. Regular penetration testing, vendor risk scoring, and contractual SLAs for misconfiguration and incident notification reduce the chance of a repeat.

What this means for payments built on NACH
NACH enables mass recurring payments and mandates — its utility is why large volumes of sensitive forms exist. But mass-processing systems demand mass attention to data governance: data minimisation (store only what’s needed), tokenisation where possible, and encryption-at-rest plus strict access controls. Until those protections are standard across originators, banks and integrators, incidents like this will continue to create outsized ripple effects.

This breach is not just an IT problem — it’s a governance, vendor-management and customer-trust challenge. The specifics (2.73 lakh files; unredacted account details; multiple lenders implicated) make it a high-visibility example of why organisations must move beyond box-checking security and build continuous, supply-chain aware cyber hygiene into payments infrastructure.

Stay with us for updates on: DPDP Consultants Newsletter