IPO-Bound Aye Finance Says NACH Data Exposed Due To Misconfiguration By Vendor

After cyber security solutions provider UpGuard flagged that data set of Indian financial institutions relating to funds transfer via the National Automated Clearing House (NACH) was exposed, IPO-bound NBFC Aye Finance has denied any misconfiguration from its systems.

As per UpGuard, it found that the highest number of files which exposed information like account numbers, transaction amounts, validity periods, bank codes, institution names, and, in many cases, phone numbers, emails, and names were linked to Aye Finance. TechCrunch was the first to report on this development.

“We wish to clarify that there has been no misconfiguration in Aye Finance servers or any kind of data breach. We do not store any NACH Mandate forms in our AWS S3 Storage and hence there was no question of misconfiguration or exposure,” Aye Finance told Inc42 in a statement.

According to Aye Finance, Nupay, an integration partner for NACH management, acknowledged that its bucket had been misconfigured but assured the issue was fixed in early September.

“They have further assured us that this did not contain any signed ACH, Aadhaar or PAN card of our customers,” the NBFC added.

NACH is a web-based solution from the National Payments Corporate of India (NPCI) to facilitate interbank, high volume, electronic transactions which are repetitive and periodic in nature. It can be used for making bulk transactions towards distribution of subsidies, dividends, interest, salary, pension among others, and also for bulk transactions towards the collection of payments pertaining to telephone, electricity, water, loans, investments in mutual funds, insurance premiums, among others. 

Notably, Nupay also provides NACH mandate management services to other leading financial institutions such as Tata Capital, Bajaj Finserv, and HDB Financial Services. The vendor confirmed to Aye Finance that the incident was contained and that customer identity documents were not compromised.

What Did UpGuard Find?

In August, UpGuard researchers discovered a publicly accessible Amazon cloud storage bucket containing more than 2.73 Lakh (273,160) PDF files worth 210 GB of NACH transactions, dating as early as April 10. It said that about 3,000 new files were being added to the data set everyday. 

The data set contained details linked to at least 38 banks and financial institutions, including SBI, Bank of Baroda, Unity Small Finance Bank, Axis Bank, HDFC Bank, among others.

UpGuard’s sample analysis of over 55K files showed that Aye Finance was mentioned in nearly 60% of the leaked forms. SBI was the next most frequent institution appearing in the sample (24.2%). 

Besides Muthoot Capital, Bank of Baroda, and Punjab National Bank had over 10% share in the sample. Notably, all documents carried the metadata title “NACH MANDATE.cdr.

Since the forms were all related to NACH, the cybersecurity firm alerted Aye Finance, the NPCI and CERT-In (Indian Computer Emergency Response Team). 

On September 4, UpGuard researchers found that the aforementioned bucket which exposed data was secured. 

On September 23, NPCI CSIRT told UpGuard, “A detailed verification and review have confirmed that no data related to NACH mandate information/records from NPCI systems have been exposed/compromised. The data in question does not belong to NPCI. NPCI operates a robust and secure technology infrastructure aligned with the highest standards of data security and governance.”

The incident highlights persistent challenges in cloud security and the lack of clear accountability and strong data protection enforcement, particularly in India’s rapidly digitising financial sector.

The latest incident also points to the challenges faced by Indian companies on the data security front. In June this year, a hacker accessed Zoomcar’s 8.4 Mn customers’ personal information. Last year, the personal data of millions of Star Health & Allied Insurance’s customers was put up for sale on the Telegram app.