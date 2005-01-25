from the hackers-regift-your-data dept.
The incident exposes the growing vulnerabilities tied to digital ID systems and mandatory KYC (know your customer) data collection:
A US-based online gift card retailer has resolved a critical data exposure incident that left highly sensitive customer identity documents accessible on the internet, raising concerns about the growing risks posed by mandatory data collection under "know your customer" (KYC) and digital ID regulations.
The issue came to light when a security researcher, known by the alias JayeLTee, discovered an unprotected storage server linked to MyGiftCardSupply. According to TechCrunch, the server, which lacked even basic password protection, contained hundreds of thousands of government-issued IDs, including driver's licenses and passports, as well as selfies submitted by customers. These documents are required by the company to comply with US anti-money laundering laws, which mandate identity verification for certain transactions.
Despite an attempt by JayeLTee to notify MyGiftCardSupply about the exposure, the company did not respond until TechCrunch reported the breach. MyGiftCardSupply's founder, Sam Gastro, later confirmed the issue. "The files are now secure, and we are doing a full audit of the KYC verification procedure," Gastro stated. He also pledged that the company would delete identity documents promptly after verification in the future.
[...] According to JayeLTee, the server, hosted on Microsoft's Azure cloud platform, contained over 600,000 images of identity documents and selfies from approximately 200,000 customers. These materials are a part of controversial KYC procedures, intended to confirm identities and prevent fraud.
Originally spotted on Schneier on Security.