Casmer Labs Presents: Quarterly Threat Report (Q2 25')
|

3 min read

Anatomy of an S3 Exposure: 273K Bank Transfer PDFs Left Open Online

Blog post featured image

In the balance of 2025, Casmer Labs, Cloud Storage Security’s internal threat laboratory, has observed a number of high-profile incidents wherein either by human error, lack of monitoring/observability, or other factors, publicly accessible object storage resources may or have led to catastrophic data breaches.

The Breakdown

First reported by TechCrunch on September 26, 2025, an Amazon S3 bucket containing over 273,000 Indian bank transfer mandate forms was discovered publicly accessible on the internet.

The exposed dataset was first identified by UpGuard, who noted that the bucket contained NACH (National Automated Clearing House) PDF files with sensitive financial and personal information, including:

  • Account holder names and addresses

  • Bank account numbers and IFSC codes

  • Transaction amounts and mandate references

The affected files were tied to multiple financial institutions and digital payment providers. According to The Economic Times and YourStory, the exposed bucket was secured following notification, but not before copies had been publicly accessible for several days.

This is the latest in a continuing series of Amazon S3 misconfiguration incidents in which public access settings were inadvertently enabled, allowing anyone with basic open-source tools or web indexing to retrieve sensitive data.

The How

The root cause was a misconfigured Amazon S3 bucket left with public read access enabled.
No breach, intrusion, or exploit occurred—this was a simple configuration oversight that bypassed basic access governance.

While AWS provides features such as Block Public Access, bucket policy enforcement, and IAM permission boundaries, these controls are only effective when correctly configured and continuously monitored.

The exposure also demonstrates a persistent visibility gap: many organizations remain unaware of what data resides in their storage, who owns it, or how it is shared. Without ongoing posture assessments or data classification, financial and personal records can remain unprotected for long periods.

The Main Problem

The issue was not the AWS platform itself, but the lack of governance over data and configuration drift.
Publicly accessible storage continues to be one of the most common and preventable causes of data exposure across industries.

Common contributing factors include:

  • Unrestricted bucket permissions and forgotten testing or staging resources

  • No centralized visibility into cloud storage across multiple accounts or environments

  • Failure to classify sensitive data, preventing prioritized protection

  • Lack of real-time alerting on bucket configuration changes or anomalous access activity

In this case, the impact was amplified by the nature of the exposed data—financial records containing personal identifiers—making it an attractive target for fraud and identity theft.

What Organizations Should Do Now

To prevent similar incidents, organizations should implement the following measures:

Restrict Public Access & Secure Cloud Storage

  • Enable AWS Block Public Access on all buckets.

  • Apply least-privilege IAM permissions and enforce ownership controls.

  • Review and update ACLs and policies regularly.

Monitor & Audit Access

  • Continuously monitor access logs for unauthorized activity.

  • Detect anomalous read patterns or object listings from unfamiliar sources.

Classify and Protect Sensitive Data

  • Identify and label financial or personal data stored in S3.

  • Apply tighter access controls and additional encryption around sensitive buckets.

Automate Security Posture Checks

  • Deploy automated scanning to detect and remediate misconfigurations before exposure.

  • Ensure that every new or modified bucket undergoes a security posture review.

Conduct Routine Security Assessments

  • Perform ongoing audits and penetration testing of storage configurations.

  • Include misconfiguration checks in third-party vendor reviews.

 

About DataDefender 

DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:

  • Knows where its sensitive data resides

  • Configures their storage resources in a secure manner

  • Prevents the ingestion and distribution of malware, including ransomware

  • Identifies and stops internal and external attacks against storage, and the data within

 

DataDefender is available now. Sign up today and ensure that your organization’s data is protected according to its sensitivity.

Click Here to Get Started

About Cloud Storage Security

Cloud Storage Security (CSS) protects the storage layer in the cloud. DataDefender is a storage-focused DSPM and activity monitoring platform that helps organizations detect ransomware, data exfiltration, and insider misuse before damage occurs. CSS also offers Antivirus for Cloud Storage, a multi-engine, in-tenant malware scanner available in AWS Marketplace with a free trial.

 

Sources

 

 

angled bg image

Tired of Reading?

Want to watch something instead?

watch video blog cta image 614x261