Public-Facing Amazon Storage Bucket Exposed Over 273,000 Indian Bank Transfers

Security researchers have discovered a publicly accessible Amazon S3 storage bucket that contains records of over 273,000 transfers taking place at banks in India, some of which have highly sensitive financial information in them.

The bucket exposes accounts from numerous different banks, and the researchers note that at the time of discovery there were thousands of new records being added to it daily. An Indian fintech company has since stepped forward to take responsibility, calling the issue a “configuration gap” and closing it off.

Bank files appear to contain sensitive information

The exposed files are from the NACH (National Automated Clearing House), widely used by banks in India since 2016 to standardize transaction processing. Security researchers with UpGuard discovered the exposed bucket, which remained available to the open internet for about a week and a half after discovery. While it is unlikely someone would randomly stumble across such a bucket, specialized search tools such as SHODAN make it relatively easy to find such things when they are exposed to the open internet.

The UpGuard researchers analyzed 55,000 of the exposed files (or about 20% of the overall total) and found that the breach window extends back to at least April 2025 and at least 38 financial institutions in India had banking records exposed. Not all of the stored forms contain the same type of information, but some contain details that are highly sensitive such as bank account numbers and bank codes, information about specific transactions, and the full names and contact information of the people involved.

After the initial news stories on this incident broke, an Indian fintech company called Nupay stepped forward to take responsibility for the exposed bucket and make assurances that it had been secured. Nupay called the issue a “configuration gap” and characterized the leaked data as a “limited set of test records with basic customer details.” The company further claimed that its internal Amazon logs showed no unauthorized access, data leakage, misuse, or financial impact.

Storage misconfigurations remain common

Some studies have indicated that about 7% of all Amazon storage buckets of this sort are exposed to the internet, and about 21% of these contain some sort of sensitive data. The general prevalence of open buckets caused Amazon to have public access blocked and access control lists (ACLs) disabled by default in mid-2023, but misconfigurations and mistakes by third party vendors continue to be unfortunately common. Inexperienced vendors with high levels of permission may mistakenly change these public access or ACL settings.

Amazon’s security advice for dealing with third party access to buckets includes using Organizations SCPs to ensure only specific approved accounts can change the public access setting, ensuring public access is not being granted to newly created items, ensure that no identity-based policies are using wildcard actions, enabling the “GuardDuty” anomaly monitoring service, ensuring sensitive data is encrypted at rest, and using Amazon Macie to scan for sensitive data that may be sitting in areas that it should not be in.