A U.S. on-line present card retailer has secured a web-based storage server that was publicly exposing lots of of hundreds of buyer government-issued identification paperwork to the web.
A safety researcher, who goes by the net deal with JayeLTee, discovered the publicly uncovered storage server late final 12 months containing driving licenses, passports, and different identification paperwork belonging to MyGiftCardSupply, an organization that sells digital present playing cards for patrons to redeem at standard manufacturers and on-line providers.
MyGiftCardSupply’s web site says it requires clients to add a duplicate of their identification paperwork as a part of its compliance efforts with U.S. anti-money laundering guidelines, usually often known as “know your buyer” checks, or KYC.
However the storage server containing the information had no password, permitting anybody on the web to entry the information saved inside.
JayeLTee alerted TechCrunch to the publicity final week after MyGiftCardSupply didn’t reply to the researcher’s e mail concerning the uncovered knowledge.
When reached by TechCrunch, MyGiftCardSupply founder Sam Gastro confirmed the safety lapse. “The information are actually safe, and we’re doing a full audit of the KYC verification process,” stated Gastro. “Going ahead, we’re going to delete the information promptly after doing the identification verification.”
Gastro wouldn’t say how lengthy the information was uncovered to the web, nor would the corporate decide to notifying affected people whose info was left public. Gastro additionally didn’t handle why MyGiftCardSupply didn’t reply to the researcher’s e mail or remediate the safety lapse on the time.
In response to JayeLTee, the uncovered knowledge — hosted on Microsoft’s Azure cloud — contained over 600,000 back and front pictures of identification paperwork and selfie photographs of round 200,000 clients. It’s not unusual for corporations topic to KYC checks to ask their clients to take a selfie whereas holding a duplicate of their identification paperwork to confirm that the shopper is who they are saying they’re, and to weed out forgeries.
The latest uploaded doc on the server was dated December 31, 2024, a day earlier than MyGiftCardSupply secured the uncovered server. Hundreds of shoppers uploaded their identification paperwork within the previous weeks, suggesting the storage server was actively used.
That is the newest in a long list of incidents and data breaches lately involving identification paperwork for KYC checks, which stays some of the relied-upon strategies for verifying a buyer’s identification.
Final April, a hacker claimed to have stolen a massive screening database called World-Check, a database utilized by corporations to find out if clients are excessive danger or concerned in potential criminality. A replica of the leaked knowledge confirmed the database contained names, dates of delivery, passport and Social Safety numbers, and checking account numbers.
JayeLTee separately reported on Thursday discovering one other cache of uncovered KYC paperwork, together with round 320,000 passports and driver’s licenses, from roommate discovering website Roomster. In a weblog submit, JayeLTee stated it was not clear precisely what number of people have been affected by the safety lapse at Roomster.
CEO John Shriber didn’t return TechCrunch’s e mail requesting remark. In an announcement offered by Roomster’s basic counsel Charles Brofman after publication, the corporate stated it has “no cause to imagine that anybody has hacked the folder or that anybody has accessed the information and used it in any nefarious approach.”
Roomster was in 2023 ordered to pay $1.6 million following a Federal Commerce Fee criticism for allegedly defrauding thousands and thousands of its customers by posting unverified listings and pretend evaluations.
Up to date with assertion from Roomster.
