A recent incident involving the Duc App, a money transfer service operated by the Toronto-based company Duales, has raised significant concerns about data security. A publicly accessible Amazon-hosted storage server inadvertently exposed potentially hundreds of thousands of individuals' personal information, including driver's licenses and passports, without any password protection.
On Tuesday, after being alerted by TechCrunch, Duales confirmed that the data exposure had been resolved. The company acknowledged that the server was publicly listing its contents, allowing anyone with a web browser to access sensitive information.
The security oversight was highlighted by Anurag Sen, a researcher from CyPeace, who discovered the vulnerability earlier in the week. He emphasized that anyone could easily view and download the data simply by knowing the web address of the storage server. The exposed files included over 360,000 documents, which were used for customer identity verification during "know your customer" checks, along with user-uploaded selfies.
While TechCrunch could not determine the exact number of exposed licenses and passports, the presence of several folders containing tens of thousands of files raised alarms. The Duc App, which facilitates money transfers including international transactions to places like Cuba, has seen over 100,000 downloads on the Google Play Store.
Among the files were spreadsheets detailing customer names, home addresses, and transaction records dating back to September 2020. Duales' CEO, Henry Martinez González, described the exposed data as being housed on a "staging site," typically used for testing purposes. However, he did not clarify why such sensitive information was left publicly accessible.
Following the notification from TechCrunch, the files were made inaccessible, although a list of the server's contents remains visible. When questioned about the potential access to the data, Martinez did not confirm whether the company had the means to track who accessed the information.
This incident coincides with a broader trend where various applications require users to upload government-issued documents for identity verification, often without implementing adequate security measures. The Office of the Privacy Commissioner of Canada has reached out to Duales for further information and to assess the situation.
The Duc App case serves as a crucial reminder of the importance of robust data protection practices in an increasingly digital world. As more services require sensitive personal information, ensuring that data is securely stored and accessed will be vital for maintaining user trust and safeguarding privacy in the future.
