Duc App data breach exposes thousands of driver's licences and passports online

A significant data breach at the money transfer service Duc App has exposed hundreds of thousands of users' sensitive personal documents, including driver's licences and passports, on a publicly accessible Amazon server. The security lapse, discovered this week, left the data unencrypted and available to anyone with a web browser.

The Canadian fintech company Duales, which owns the Duc App, secured the data on Tuesday after being alerted by TechCrunch. The exposed files, dating back to September 2020 and updated daily, also contained customer selfies, names, home addresses, and detailed transaction records.

Open Server Held Years of Data

Security researcher Anurag Sen discovered the misconfigured storage server, which was publicly listing its contents without requiring any authentication. Sen stated that anyone could view and download the data simply by knowing the server's web address.

The Amazon-hosted server contained over 360,000 files used for customer identity verification, known as "know your customer" checks. TechCrunch's review found folders containing tens of thousands of user-uploaded government documents and selfies, though the precise number of exposed passports and licences could not be confirmed.

Company Response and Regulatory Scrutiny

When contacted, Duales chief executive Henry Martinez González claimed the data was on a "staging site" used for testing but did not explain why live customer data was publicly accessible. "All protections are in place," Martinez said in an email, adding the company was "notifying the appropriate parties."

Following TechCrunch's alert, the files were made inaccessible, though a directory listing remained visible. Martinez would not confirm if the company has logs to determine who may have accessed the data. The Office of the Privacy Commissioner of Canada has contacted Duales for more information.

A Pattern of Identity Data Exposure

This incident is the latest in a series of security failures involving sensitive identity documents collected by apps. Last year, the TeaOnHer app exposed thousands of user passports and driver's licences. Discord also confirmed a breach affecting around 70,000 government documents uploaded for age verification.

These lapses occur as more services require users to upload official documents for verification, often without adequate security measures for the collected data. Amazon has implemented additional security checks in recent years to prevent such inadvertent exposures, following high-profile incidents involving several corporations and even a U.S. spy agency.

Ongoing Fallout and User Impact

The Duc App, which allows users to send money overseas to locations like Cuba, has been downloaded over 100,000 times on the Google Play Store. Its website experienced downtime on Thursday, displaying a "bad gateway" error.

With the data exposed for years and the company unable to confirm if it was accessed, the breach poses a significant risk of identity theft and fraud for affected users. The Canadian privacy regulator's investigation will determine the next steps and potential consequences for Duales.