A publicly accessible Amazon-hosted storage server exposed potentially hundreds of thousands of people’s personal data without needing a password. This included driver’s licenses, passports, and other personal information collected by the Duc App, a money-transfer service owned by the Toronto-based Duales.
The Canadian fintech company resolved the data exposure on Tuesday after TechCrunch informed its chief executive that one of its cloud storage servers was publicly listing its contents without a password.
The data was also stored unencrypted, allowing anyone with a link to view it in full.
Anurag Sen, a security researcher at CyPeace, discovered the security lapse and contacted TechCrunch to notify the data’s owner. Sen noted that anyone could view and download the data using their browser by predicting the web address of the storage server.
According to Sen, the Amazon-hosted storage server listed over 360,000 files containing government-issued documents and other information used by customers to verify their identity through “know your customer” checks, including user-uploaded selfies for likeness verification.
TechCrunch could not determine the exact number of exposed driver’s licenses and passports; however, several folders contained tens of thousands of user-uploaded files, including driver’s licenses, passports, and selfies.
Duales advertises its app for sending money to other users, including overseas in Cuba and elsewhere. Its Android app listing on Google Play shows over 100,000 user downloads to date.
The files, dating back to September 2020, and uploaded daily, also contained spreadsheets listing customer names, home addresses, and transaction details.
Contacted by email, Duales chief executive Henry Martinez González told TechCrunch the data was stored on a “staging site,” used for testing, but did not explain why customers’ personal information was publicly accessible in the same database.
“All protections are in place,” Martinez said. “We are notifying the appropriate parties. We have not contracted any services from you.”
After TechCrunch’s email, the files on the storage server were made inaccessible, though a list of the server’s contents is still visible.
Martinez did not confirm if the company had logs or means to determine who or how many people accessed the data.
Duc App’s website appeared briefly down on Thursday with a “bad gateway” error.
It’s unclear why Duales left its Amazon-hosted storage server publicly open. Amazon has added security checks to prevent inadvertent data exposure after several high-profile incidents where corporate giants, including a U.S. spy agency, published sensitive data due to misconfigurations.
TechCrunch contacted Canada’s privacy regulator, who said it was seeking more information from the company.
“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps,” a spokesperson told TechCrunch by email, declining to comment further.
Duc App is the latest in a list of recent security lapses involving the exposure of sensitive identity data. This exposure comes as apps and websites increasingly require users to upload government-issued documents for verification but lack sufficient data security measures.
Last year, the app TeaOnHer exposed thousands of users’ passports and driver’s licenses, required before entering the app’s community. Discord also confirmed a data breach affecting around 70,000 government-issued documents uploaded by users verifying their age, amid efforts to enact online age checking laws.