Top money transfer site Duc leaks user passport and driving license data info online

News
By published

Another day, another misconfigured database

KYC
(Image credit: D24)
  • Duc app exposed 360,000 unencrypted customer files
  • Data included IDs, addresses, and transaction details
  • Database secured after researcher alerted company

Duc App, a Canadian money transfer service provider, was leaking sensitive customer data to the wide web, allowing anyone with an internet connection and a browser to access it.

Security researcher Anurag Sen from CyPeace recently discovered a publicly accessible Amazon-hosted storage server with sensitive data on hundreds of thousands of people.

This included people’s names, home addresses, but also the dates, times, and details of their transactions. They also contained driver’s licenses, passports, and other documents collected during the Know Your Customer (KYC) registration process.

Article continues below

Locking down the database

Sen said the server listed more than 360,000 files, all in unencrypted format and available to anyone who knew where to look. After making the discovery, Sen reached out to TechCrunch to help contact Duc App’s owners, a company called Duales.

The publication managed to contact the owners, who locked the database down, soon after. TechCrunch said it could not confirm the number of exposed drivers licenses and passports, but said it saw “several folders” with tens of thousands of user-uploaded files, dating back from September 2020, and being uploaded daily.

In an email statement shared with the publication, Duales chief executive officer Martinez González said the data was stored on a “staging site” - meaning the website was used mostly for testing. However, he did not explain why the database was publicly accessible.

“All protections are in place,” Martinez González said. “We are notifying the appropriate parties. We have not contracted any services from you.” We don’t know if any malicious third parties managed to find the database before Sen, but it is always possible. Cybercriminals frequently scan the wider web for exposed databases such as this one.

Generally, cloud misconfigurations are the number one cause of data leaks and spills, resulting mostly from the misconception that cloud security is primarily the service provider’s responsibility.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.