A U.S. on-line present card retailer has secured an internet storage server that was publicly exposing lots of of 1000’s of buyer government-issued id paperwork to the web.
A safety researcher, who goes by the web deal with JayeLTee, discovered the publicly uncovered storage server late final 12 months containing driving licenses, passports and different id paperwork belonging to MyGiftCardSupply, an organization that sells digital present playing cards for purchasers to redeem at fashionable manufacturers and on-line providers.
MyGiftCardSupply’s web site says it requires clients to add a replica of their id paperwork as a part of its compliance efforts with U.S. anti-money laundering guidelines, usually generally known as “know your buyer” checks, or KYC.
However the storage server containing the recordsdata had no password, permitting anybody on the web to entry the info saved inside.
JayeLTee alerted TechCrunch to the publicity final week after MyGiftCardSupply didn’t reply to the researcher’s e mail concerning the uncovered knowledge.
When reached by TechCrunch, MyGiftCardSupply founder Sam Gastro confirmed the safety lapse. “The recordsdata at the moment are safe, and we’re doing a full audit of the KYC verification process,” stated Gastro. “Going ahead, we’re going to delete the recordsdata promptly after doing the id verification.”
Gastro wouldn’t say how lengthy the info was uncovered to the web, nor would the corporate decide to notifying affected people whose info was left public. Gastro additionally didn’t deal with why MyGiftCardSupply didn’t reply to the researcher’s e mail or remediate the safety lapse on the time.
Based on JayeLTee, the uncovered knowledge — hosted on Microsoft’s Azure cloud — contained over 600,000 back and front photos of id paperwork and selfie images of round 200,000 clients. It’s not unusual for corporations topic to KYC checks to ask their clients to take a selfie whereas holding a replica of their id paperwork to confirm that the shopper is who they are saying they’re, and to weed out forgeries.
The newest uploaded doc on the server was dated December 31, 2024, a day earlier than MyGiftCardSupply secured the uncovered server. 1000’s of consumers uploaded their id paperwork within the previous weeks, suggesting the storage server was actively used.
That is the most recent in a lengthy record of incidents and knowledge breaches in recent times involving id paperwork for KYC checks, which stays one of the relied-upon methods for verifying a buyer’s id.
Final April, a hacker claimed to have stolen a large screening database known as World-Test, a database utilized by corporations to find out if clients are excessive danger or concerned in potential criminality. A replica of the leaked knowledge confirmed the database contained names, dates of start, passport and Social Safety numbers, and checking account numbers.
JayeLTee individually reported on Thursday discovering one other cache of uncovered KYC paperwork, together with round 320,000 passports and driver’s licenses, from roommate discovering website Roomster.
In a weblog publish, JayeLTee stated it was not clear precisely what number of people had been affected by the safety lapse at Roomster, and its CEO John Shriber didn’t return TechCrunch’s e mail requesting remark. Roomster was in 2023 ordered to pay $1.6 million following a Federal Commerce Fee grievance for allegedly defrauding thousands and thousands of its customers by posting unverified listings and faux critiques.
