Skip to content

Misconfigured ICICI Bank cloud storage leaked 3.6 million records

  • by
  • 3 min read

After its IT resources were named “critical information infrastructure” by the Indian government in June 2022, ICICI Bank seems not to have employed digital data protection measures that could live up to the title. The Cybernews research team discovered that the bank was leaking sensitive data due to a misconfiguration in its systems. 

On February 1, the Cybernews research team discovered a misconfigured ICICI Bank Digital Ocean bucket with over 3.6 million files belonging to the bank. These files included sensitive data from the bank and its customers, including but not limited to sensitive customer documents like passports, PAN cards, filled KYC (Know Your Customer) forms, bank account details, credit card numbers, full names, dates of birth, home addresses, phone numbers and emails. CVs of current employees and future job candidates were also found. 

Leaked passport of an ICICI Bank customer. | Source: Cybernews

The bank is yet to issue an official statement on the data leak. Cybernews did reach out to the bank and CERT-In and the issue was fixed as by March 30, access to the exposed Digital Ocean data bucket was restricted. However, when reached out for a comment, the bank simply denied knowing what incident the researchers were referring to, recommending that they reach out to the corporate communications team instead. 

It’s unclear whether or not threat actors accessed the exposed details during their exposure period. That said, if any threat actor does get their hands on the leaked data, it could have severe consequences for the bank and its customers.

The leaked data can seriously undermine the bank’s reputation and put the customers and employees at risk of phishing and fraud attacks. 

Leaked bank statement from a customer. | Source: Cybernews

The leaked documents can also be used to create fake accounts in the victim’s name without their consent or information. Moreover, his data can also be put up for sale on the dark web, although no such instance has yet been discovered. 

We’ve reached out for a comment but haven’t received any response from ICICI at the time of publishing this story.

In the News: OpenAI faces an uncertain future in Europe

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: