On 21 April, CyberNews published a report saying over 3.6 million ICICI Bank files comprising the bank’s and its clients’ information was leaked from a publicly accessible cloud storage bucket managed by DigitalOcean, a New York-based cloud service provider.
The purported data leak, according to the research-based online publication, resulted from a misconfiguration of the bank systems that exposed the 35 lakh records. In its 4-point statement, ICICI Bank categorically denies the data breach incident.
According to information shared by Rahul Neel Mani, vice president of community engagement & editorial at ISMG, on LinkedIn, ICICI Bank issued a 4-point statement in which it dismisses CyberNews’ findings:
- The Bank does not own or manage the said URLs. Therefore, there is no question of a misconfiguration at the Bank’s end, as is mentioned in the article.
- The four documents found in the URLs seemed to be uploaded by individuals as storage. They do not compromise security of any account.
- Since the documents carried the Bank’s name, we took steps to bring the URLs down.
- There is no evidence of availability of 3.6 million files with customer data, as mentioned in the article.
Rahul Sasi, co-founder and CEO at CloudSEK tells ETCISO that the CyberNews’ report is based on a leaked data dump from DigitalOcean. He says that the leaked dump contains data from several other companies and not just ICICI Bank.
“The compromised bucket contains information belonging to several other companies. I’m not sure why the researchers singled out ICICI,” he says. Commenting on the legitimacy of the dataset in question, Sasi says the data appears to be legitimate KYC information, but he’s certain the leaked data cannot be attributed to ICICI Bank.
Click below to read about data leak in detail