A publicly accessible Amazon-hosted storage server exposed hundreds of thousands of files containing personal data from users of the Duc App, a money-transfer service owned by Toronto-based Duales. The server required no password, allowing anyone with a web browser to access sensitive information, including driver’s licenses, passports, and identity verification data.
Unsecured Server Allowed Direct Access To Sensitive Files
The exposed data was stored without encryption. Anyone who obtained the web address of the storage server could view and download the files in full. Anurag Sen, who discovered the issue, said the server address was easy to guess and did not require authentication.
Sen, a researcher at CyPeace, contacted TechCrunch earlier in the week to help identify the data’s owner. He said the server listed more than 360,000 files, including government-issued documents and user-uploaded selfies used for “know your customer” identity checks.
Documents And Transaction Records Spanned Several Years
The files dated back to September 2020 and were updated regularly, with new uploads occurring daily. In addition to identity documents, the dataset included spreadsheets containing customer names, home addresses, and transaction details such as dates and times.
TechCrunch reported that while it could not determine the exact number of exposed passports and driver’s licenses, multiple folders contained tens of thousands of files. Samples reviewed included identity documents and verification images.
Duales promotes the Duc App as a service for sending money, including transfers to users in Cuba and other countries. Its Android app listing on the Google Play Store shows more than 100,000 downloads.
Company Responds After Notification
Duales said it secured the exposed server on Tuesday after TechCrunch alerted the company’s chief executive, Henry Martinez González. The files themselves were made inaccessible, although a directory listing of the server’s contents remained visible.
Martinez González said the data was hosted on a “staging site,” typically used for testing, but did not explain why real customer data was stored there or why it was publicly accessible. He stated that “all protections are in place” and that the company was notifying relevant parties.
He declined to confirm whether the company had logs or technical means to determine how many people accessed the exposed data or how it was accessed.
Following the disclosure, the Duc App website briefly went offline and displayed a “bad gateway” error.
Regulator Seeks More Information On Incident
Canada’s privacy regulator, the Office of the Privacy Commissioner of Canada, said it had contacted the company to gather more information. A spokesperson told TechCrunch the regulator is assessing next steps but did not provide further details.
The reason the Amazon-hosted server was left publicly accessible remains unclear. In recent years, Amazon has introduced additional safeguards to reduce accidental data exposure following several high-profile incidents involving misconfigured storage systems, including cases affecting government agencies.
Recent Incidents Highlight Ongoing Data Exposure Risks
The incident adds to a series of recent cases involving exposure of identity documents. Last year, the app TeaOnHer exposed thousands of user-uploaded passports and driver’s licenses required for access to its platform. Discord also confirmed a data breach affecting around 70,000 government-issued documents submitted for age verification.
These cases involve systems where users are required to upload identity documents for verification purposes, with varying levels of security applied to the stored data.
Featured image credits: Onit
For more stories like it, click the +Follow button at the top of this page to follow us.