Public Exposure of Customer Identity Documents: A U.S. Online Gift Card Store’s Security Lapse
In a concerning development, a U.S.-based online gift card store has inadvertently exposed hundreds of thousands of customer government-issued identity documents to the internet. This security lapse was discovered by a security researcher who alerted TechCrunch to the issue.
MyGiftCardSupply: A Company with a KYC Requirement
MyGiftCardSupply is an online store that sells digital gift cards for popular brands and services. To comply with U.S. anti-money laundering rules, also known as ‘know your customer’ (KYC) checks, the company requires customers to upload a copy of their identity documents. This information is used to verify the customer’s identity and prevent potential money laundering activities.
The Exposed Storage Server
Last year, security researcher JayeLTee discovered that MyGiftCardSupply’s storage server containing these sensitive documents was publicly exposed to the internet. The server, hosted on Microsoft’s Azure cloud platform, had no password protection, allowing anyone with an internet connection to access the data stored within.
The Impact of the Security Lapse
According to JayeLTee, the exposed data included over 600,000 front and back images of identity documents, as well as around 200,000 selfie photos of customers. The most recent uploaded document on the server was dated December 31, 2024, just a day before MyGiftCardSupply secured the exposed server.
Customer Data Exposure: A Growing Concern
This security lapse is not an isolated incident. In recent years, there have been numerous cases of identity documents being publicly exposed for KYC checks. In April last year, a hacker claimed to have stolen a massive screening database called World-Check, which contained sensitive customer information.
Roomster’s Similar Security Lapse
Separately, JayeLTee also reported finding another cache of exposed KYC documents from roommate finding site Roomster. The exposed data included around 320,000 passports and driver’s licenses. While it is unclear exactly how many individuals were affected by the security lapse at Roomster, the company has maintained that there is no evidence to suggest that anyone accessed the data in a nefarious manner.
Company Response: A Mixed Bag
MyGiftCardSupply’s founder, Sam Gastro, confirmed the security lapse and stated that the files are now secure. However, he would not provide details on how long the data was exposed or whether affected individuals will be notified. Additionally, the company did not address why they failed to respond to JayeLTee’s initial email about the exposed data.
The Importance of KYC Checks
While KYC checks are a crucial aspect of preventing money laundering activities, companies must ensure that these procedures do not compromise customer data security. The recent incidents highlight the need for robust security measures and regular audits to prevent such lapses from occurring in the future.
Related Incidents: A Pattern of Security Lapses
In 2023, Roomster was ordered to pay $1.6 million following a Federal Trade Commission complaint for allegedly defrauding millions of its users by posting unverified listings and fake reviews.
The Need for Transparency and Accountability
In light of these incidents, companies must prioritize transparency and accountability when handling sensitive customer data. This includes regular security audits, proper password protection, and clear communication with affected individuals in the event of a security breach.
Conclusion: A Wake-Up Call for Companies
The public exposure of customer identity documents by MyGiftCardSupply serves as a stark reminder of the importance of robust security measures and transparency in handling sensitive data. As technology continues to evolve, companies must remain vigilant in their efforts to protect customer information and prevent such incidents from occurring.
Related News
- Governments call for spyware regulations in UN Security Council meeting
- PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data
- UnitedHealth hid its Change Healthcare data breach notice for months
Subscribe to TechCrunch Daily News
Stay up-to-date with the latest tech news and trends by subscribing to our daily newsletter.
