ICICI Bank, one of India's leading private sector banks, has leaked millions of records with sensitive data, including financial information and personal documents of the bank's clients, the Cybernews research team found.
The leak came to light in February 2023, when the team discovered a misconfigured and publicly accessible Digital Ocean bucket containing 3.6 million files belonging to ICICI Bank.
The exposed data included bank account details, credit card numbers, full names, dates of birth, home addresses, phone numbers, and emails, as well as files that revealed clients' passports, IDs, and Indian PANs – Indian taxpayer identification numbers. Bank statements and filled-in know-your-customer (KYC) forms were also leaked.
The server also hosted resumes ICICI’s workers and applicants.
Researchers contacted the bank and Indian Computer Emergency Response Team (CERT-IN) about the issue and the bucked was secured on March 30.
The Cybernews team has warned that threat actors could use leaked data to commit identity theft and fraud.
“For example, cybercriminals could use the stolen credentials and personal data to open accounts in the names of individuals without them being aware. Employees, businesses, and individuals whose data were exposed could be at risk of spear phishing campaigns … Another risk is the data being sold on the dark web, and ICICI Bank risking to be a victim of ransomware attacks,” the researchers said.