On 20th April 2023, Security Affairs reported leakage of sensitive personal data including copy of Visa/Passport, Bank statement and Director KYC form of a client. Here is the report : Multinational ICICI Bank leaks passports and credit card numbers Security Affairs
This report was then repeated by many blogs and journals.
Later today ICICI Bank has issued the following statement:
"We strongly debunk the baseless allegations levelled against the Bank in the article which appears to be a mischievous attempt to tarnish our image and mislead our customers.
On Feb 2, the research team of Cybernews contacted us. They claimed to have " discovered a leaking Digital Ocean bucket" which they believed " belong to the Bank". They also shared four URLs containing information of documents namely I) a copy of an email sent by the Bank informing a customer about the launch of ICICI Stack ii) a one-page statement of an account of a single customer iii) a receipt of a payment made via internet banking iv) a statement of transactions of a single customer. Thereafter, we reached out to them seeking further details but we didn't get anything.
Please note below the facts vis-à-vis the allegations made in the article:
a) The Bank does not own or manage the said URLs. Therefore, there is no question of a misconfiguration at the Bank’s end, as is mentioned in the article.
b) The four documents found in the URLs seemed to be uploaded by individuals as storage. They do not compromise the security of any account.
c) Since the documents carried the Bank’s name, we took steps to bring the URLs down.
d) There is no evidence of availability of 3.6 million files with customer data, as mentioned in the article."