On September 16th, Cybernews discovered a significant misconfiguration in an Amazon AWS S3 bucket belonging to FatakPay, a Mumbai-based fintech company. The unsecured bucket, which lacked password protection, exposed over 27 million sensitive files, including the personal and financial data of loan applicants.
Exposed Data:
Full names, home addresses, and contact information
National IDs, including PAN and Aadhaar numbers
Loan agreements, account statements, and filled applications
User selfies for verification
Credit score reports (CRIF and CIBIL)
The leaked Know Your Customer (KYC) documents and other details pose severe risks such as identity theft, financial fraud, phishing attacks, and physical threats like doxxing and harassment. Malicious actors could exploit this information to impersonate victims, take out loans, or gain unauthorized access to bank accounts.
Timeline:
Discovery: September 16th
Initial Disclosure: October 15th
Follow-ups: October 22nd – December 3rd
Secured: December 5th
FatakPay has not provided an official comment. The incident underscores the critical need for robust data security measures in financial institutions to protect users from the cascading consequences of data breaches.
Misconfigurations in Amazon AWS S3 buckets
Misconfigurations in Amazon AWS S3 buckets often occur due to a combination of human error, lack of technical expertise, and weak governance practices. One common cause is the inadvertent setting of public accessibility during bucket creation, often because users misunderstand the implications of permission settings. The complexity of AWS’s permission structures, including Identity and Access Management (IAM) policies, bucket policies, and access control lists, can also lead to errors where access is granted more broadly than intended.
Inadequate monitoring and poor security practices exacerbate these issues. For instance, failing to enable logging tools such as AWS CloudTrail or S3 Access Logs can make it difficult to detect unauthorized access or unintended exposure. Similarly, the absence of encryption for stored data adds another layer of vulnerability. Missteps can also arise when organizations rely on default settings or third-party tools, assuming they are secure, or during the integration of S3 with other systems, where configurations may be unintentionally overridden.
Governance issues, such as the lack of regular audits or automated security checks, allow misconfigurations to persist undetected. Rapid scaling, particularly in startups or small teams, often prioritizes speed over security, leading to oversight in configuring storage. As data volume grows, maintaining secure configurations becomes even more challenging without proper controls.
Preventing such misconfigurations requires a focus on training administrators, leveraging AWS security tools, implementing automated scans, conducting regular audits, and enforcing the principle of least privilege to restrict access. Addressing these challenges can significantly reduce the likelihood of sensitive data being exposed through misconfigured S3 buckets.
Rajani Baburajan
