A data breach in the Canadian money transfer app Duc has led to the exposure of sensitive customer information, including driver’s licenses, passports, and other personal documents. The breach occurred due to an unsecured Amazon-hosted storage server that allowed unrestricted access to customer data without a password.
Security researcher Anurag Sen discovered the breach, which revealed over 360,000 unencrypted files containing government-issued documents and user-uploaded selfies used for identity verification. The exposed data also included customer names, addresses, and transaction details.
Duales, the Toronto-based fintech company behind Duc, promptly addressed the issue after being notified by TechCrunch. The company emphasized the critical importance of securing customer data in the digital age.
This incident underscores the need for robust data security measures, especially in financial technology services that handle sensitive customer information.
Source: TechCrunch