Money transfer app Duc exposed thousands of driver’s licenses and passports tothe open web

The money transfer app Duc exposed personal data, including driver’s licenses and passports of potentially hundreds of thousands of users, due to a publicly accessible Amazon server. This security lapse was resolved after TechCrunch alerted the company. The data was unencrypted and accessible by anyone with a link, raising concerns about data privacy in fintech and the security measures in place for user-uploaded identification.

Key Points

• A publicly accessible Amazon-hosted server exposed over 360,000 files containing sensitive personal information.
• Data included driver’s licenses, passports, selfies, names, home addresses, and transaction details.
• Duc App by Duales was alerted by TechCrunch and secured the data after being notified.
• The CEO claimed the data was on a staging site, but didn't explain the security oversight.
• The incident follows a trend in fintech apps requiring sensitive user data, highlighting security vulnerabilities.

Relevance

• Similar incidents involving data exposure, like TeaOnHer and Discord, reveal ongoing security issues in apps handling sensitive identity data.
• Growing reliance on digital identity verification is prompting scrutiny about data protection measures.
• The trend towards stricter online identity verification raises awareness on data handling practices in fintech.

The Duc data exposure incident underlines critical gaps in data security practices among fintech apps, emphasizing the need for rigorous data protection measures as digital identity verification becomes mandatory.