On-line reward card retailer uncovered a whole bunch of 1000’s of individuals’s identification paperwork

0
10
On-line reward card retailer uncovered a whole bunch of 1000’s of individuals’s identification paperwork


A U.S. on-line reward card retailer has secured a web-based storage server that was publicly exposing a whole bunch of 1000’s of buyer government-issued identification paperwork to the web.

A safety researcher, who goes by the net deal with JayeLTee, discovered the publicly uncovered storage server late final yr containing driving licenses, passports, and different identification paperwork belonging to MyGiftCardSupply, an organization that sells digital reward playing cards for purchasers to redeem at fashionable manufacturers and on-line companies. 

MyGiftCardSupply’s web site says it requires clients to add a replica of their identification paperwork as a part of its compliance efforts with U.S. anti-money laundering guidelines, typically generally known as “know your buyer” checks, or KYC.

However the storage server containing the recordsdata had no password, permitting anybody on the web to entry the info saved inside.

JayeLTee alerted TechCrunch to the publicity final week after MyGiftCardSupply didn’t reply to the researcher’s e mail concerning the uncovered knowledge.

When reached by TechCrunch, MyGiftCardSupply founder Sam Gastro confirmed the safety lapse. “The recordsdata are actually safe, and we’re doing a full audit of the KYC verification process,” stated Gastro. “Going ahead, we’re going to delete the recordsdata promptly after doing the identification verification.” 

Gastro wouldn’t say how lengthy the info was uncovered to the web, nor would the corporate decide to notifying affected people whose data was left public. Gastro additionally didn’t tackle why MyGiftCardSupply didn’t reply to the researcher’s e mail or remediate the safety lapse on the time.

In accordance with JayeLTee, the uncovered knowledge — hosted on Microsoft’s Azure cloud — contained over 600,000 back and front photographs of identification paperwork and selfie images of round 200,000 clients. It’s not unusual for corporations topic to KYC checks to ask their clients to take a selfie whereas holding a replica of their identification paperwork to confirm that the client is who they are saying they’re, and to weed out forgeries.

The newest uploaded doc on the server was dated December 31, 2024, a day earlier than MyGiftCardSupply secured the uncovered server. Hundreds of shoppers uploaded their identification paperwork within the previous weeks, suggesting the storage server was actively used.

That is the most recent in a lengthy listing of incidents and knowledge breaches lately involving identification paperwork for KYC checks, which stays one of the vital relied-upon strategies for verifying a buyer’s identification. 

Final April, a hacker claimed to have stolen a large screening database known as World-Examine, a database utilized by corporations to find out if clients are excessive threat or concerned in potential criminality. A replica of the leaked knowledge confirmed the database contained names, dates of start, passport and Social Safety numbers, and checking account numbers.

JayeLTee individually reported on Thursday discovering one other cache of uncovered KYC paperwork, together with round 320,000 passports and driver’s licenses, from roommate discovering web site Roomster. In a weblog publish, JayeLTee stated it was not clear precisely what number of people have been affected by the safety lapse at Roomster.

CEO John Shriber didn’t return TechCrunch’s e mail requesting remark. In an announcement supplied by Roomster’s basic counsel Charles Brofman after publication, the corporate stated it has “no motive to consider that anybody has hacked the folder or that anybody has accessed the info and used it in any nefarious manner.”

Roomster was in 2023 ordered to pay $1.6 million following a Federal Commerce Fee grievance for allegedly defrauding hundreds of thousands of its customers by posting unverified listings and faux critiques.

Up to date with assertion from Roomster.



Supply hyperlink

LEAVE A REPLY

Please enter your comment!
Please enter your name here