Widespread Exposure of Sensitive Data on Amazon Cloud Server Endangers Hundreds of Thousands
An Amazon Web Services (AWS) cloud storage server was found to be publicly accessible, exposing sensitive personal details of perhaps hundreds of thousands of individuals. This data included government-issued identification documents such as passports and driver’s licenses, all collected by teh Duc app-a digital money transfer service operated by Toronto-based fintech firm Duales.
Critical Security Flaws: Unprotected Storage and Lack of Encryption
The compromised data was stored without any encryption safeguards, allowing anyone with the direct link to freely access or download files without needing authentication. Cybersecurity expert Anurag sen from CyPeace uncovered this vulnerability after realizing that a simple guess or discovery of the URL granted unrestricted entry to these confidential records.
Sen reported that over 360,000 files were openly accessible on this AWS-hosted repository. The exposed materials included scanned government IDs alongside user selfies submitted for identity verification during “know your customer” (KYC) checks. Additionally, spreadsheets containing customers’ names, home addresses, transaction timestamps dating back to September 2020, and ongoing daily updates were part of the dataset.
Duc App’s Functionality in Cross-border Money Transfers
the Duc app serves as a digital wallet facilitating both domestic and international fund transfers-including transactions to countries like Cuba were financial services are often restricted. According to recent Google play Store figures, the request has been installed over 100,000 times since its debut.
Company’s Response Leaves Key Questions Unanswered
When approached via email regarding the breach, Duales CEO Henry Martinez González described the exposed storage location as a “staging site” primarily intended for testing purposes but did not explain why live customer data was left unprotected there. He claimed that “all protections are in place” and confirmed notifying relevant authorities but declined to specify whether logs or monitoring tools existed to track unauthorized access attempts.
after being alerted by security researchers and media inquiries, Duales restricted public file access; however, directory listings remain visible online-posing an ongoing risk for exploitation by malicious actors.
The Larger Issue: Cloud Misconfigurations Driving Data Breaches Worldwide
This event exemplifies a persistent global problem where misconfigured cloud environments lead to massive leaks involving sensitive information. Despite AWS enhancing security protocols following several high-profile incidents-including leaks affecting major corporations’ source code or confidential client details-human error and insufficient cybersecurity practices within organizations continue fueling such vulnerabilities.
“Misconfiguration in cloud deployments remains one of the leading causes behind recent large-scale data exposures,” notes cybersecurity analyst Maria Lopez. “organizations must enforce rigorous deployment standards combined with frequent audits.”
tightening Regulatory Oversight Amid Growing Privacy Concerns
The Office of the Privacy Commissioner of Canada has reached out to Duales seeking additional details about this exposure in order to evaluate potential regulatory measures moving forward.
A Troubling Trend Among Apps Handling Identity Verification Information
Duc App is among an increasing number of applications mishandling users’ sensitive identity documents required for verification processes:
- IDVerify: Recently leaked thousands of scanned passports and driver’s licenses uploaded by users attempting account registration;
- TikTok: Experienced a breach impacting approximately 80,000 government-issued IDs submitted during age verification efforts amid intensified child safety regulations worldwide;
This rise in incidents underscores how many apps demand extensive personal documentation yet fail at securing it properly against unauthorized disclosure or theft-putting millions globally at risk as digital identity verification becomes more widespread across sectors ranging from finance services to social media platforms.
