Duales’ Duc App Data Left Unprotected Due to Unencrypted Server, Over 360,000 Files Exposed
Published
Key Takeaways
- Duc App breach: A massive data leak exposed over 360,000 unencrypted files containing sensitive customer information from the Duales money-transfer application.
- Amazon storage server: The company left a cloud database completely unprotected, allowing anyone with a web browser to access government IDs without authentication.
- Data security risks: Compromised records include passports, driver's licenses, facial recognition selfies, and detailed transaction logs dating back to September 2020.
A Duc App data exposure has compromised the personal information of thousands of fintech users. Security researchers recently identified a publicly accessible Amazon-hosted storage server belonging to Duales, the Toronto-based operator of the Duc App money-transfer service. This infrastructure misconfiguration left sensitive identity verification documents entirely unprotected on the open internet.
The Duc App Privacy Breach
The Duc App data breach centers on the sensitive nature of the unencrypted information exposed. CyPeace cybersecurity researcher Anurag Sen discovered that the database contained over 360,000 files used for mandatory "know your customer" (KYC) protocols, according to TechCrunch.
Several folders each contained “tens of thousands” of user-uploaded files and detailed spreadsheets, including:
- driver's licenses,
- national passports,
- user-uploaded selfies intended for facial likeness verification
- customer names,
- home addresses,
- precise financial transaction records logged daily since September 2020.
Because the data lacked encryption, anyone possessing the easy-to-guess web address could view and download the contents in plaintext.
Escalating User Data Security Risks
Operating an unprotected Amazon-hosted storage server presents severe user data security risks, especially for a financial application boasting over 100,000 downloads. Duales Chief Executive Henry Martinez González stated the infrastructure functioned as a "staging site," and the company subsequently restricted access to the files.
This Duales data exposure adds to several other cases of cloud misconfigurations, reminding financial institutions that failing to implement basic access controls can severely impact consumer privacy and compromise operational integrity.
Last year, misconfigurations across seven cloud providers exposed 660,000 buckets, 200 billion files, 110,000 credentials, and more.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular