An Amazon-hosted storage server, accessible to the public, permitted anyone with internet access to view what could potentially be hundreds of thousands of individuals’ personal information without a password. This encompassed driver’s licenses, passports, and other personal details gathered by the Duc App, a money transfer platform owned by the Toronto-based company Duales.

The Canadian fintech firm announced it addressed the data breach on Tuesday after TechCrunch informed its CEO that one of the cloud storage servers was openly listing its files without any password protection.

Moreover, the data was stored in an unencrypted format, allowing anyone with a link to access the information completely.

Anurag Sen, a security expert at CyPeace who identified the security flaw earlier that week, reached out to TechCrunch to alert the data owner. Sen mentioned that anyone could view and download the data via their browser simply by knowing the easily guessable URL of the storage server.

Sen reported that the Amazon-hosted storage server displayed over 360,000 files containing government-issued documents and other information utilized by customers for identity verification through “know your customer” processes. Among these files were user-submitted selfies to verify their real-life appearance.

TechCrunch could not determine the exact number of exposed driver’s licenses and passports; however, numerous folders in the compromised bucket each had tens of thousands of user-uploaded files, some of which included driver’s licenses, passports, and selfies.

Duales promotes its app as a means for individuals to send money to others, including internationally to locations like Cuba. The app’s listing on the Google Play store shows over 100,000 downloads so far.

The files, with dates going back to September 2020 and being uploaded on a daily basis, also featured spreadsheets recording customer names, home addresses, and details of their transactions including dates and times.

In response to an email inquiry, Duales CEO Henry Martinez González informed TechCrunch that the data was stored on a “staging site,” which is typically a testing website, but did not clarify why customer personal data was accessible publicly in the same database.

“All protections are in place,” Martinez González stated. “We are notifying the appropriate parties. We have not contracted any services from you.”

Following TechCrunch’s email to the company, access to the files on the storage server was revoked, although a list of the server’s contents remains accessible.

Martinez González did not confirm whether the company had the technical capabilities, such as access logs, to identify who viewed the data or how many individuals accessed it.

Duc App’s website seemed to be briefly down on Thursday, presenting a “bad gateway” error.

It remains unclear how or why Duales kept its Amazon-hosted storage server publicly accessible on the internet. In recent years, Amazon has implemented security measures to help prevent users from inadvertently exposing their data online after a series of incidents where notable companies, including a U.S. intelligence agency, mistakenly published sensitive data due to incorrect configurations.

When contacted by TechCrunch as part of outreach efforts to reach the app’s owner, Canada’s privacy regulator stated it was seeking further information from Duales.

“The Office of the Privacy Commissioner of Canada has contacted the company for more information and to determine the next steps,” a spokesperson for the regulator shared with TechCrunch via email, opting not to provide additional comments.

Duc App represents the latest in a series of recent security issues involving the exposure of sensitive identity information belonging to others. This data leak aligns with a trend where apps and sites increasingly ask users to upload government-issued documents for identity verification without implementing adequate measures to protect the data collected.

Last year, the well-known app TeaOnHer disclosed thousands of its users’ passports and driver’s licenses, which the app required for entry into its exclusive community. Additionally, Discord confirmed a data breach last year affecting approximately 70,000 government-issued documents that users uploaded to verify their ages amid a global push to introduce online age verification legislation.