- 2.9 million files from fintech company Miio have been found exposed online
- Researchers say the information has been unguarded for months
- The company has not yet responded to the disclosure notice
Cybersecurity researchers have claimed that financial technology firm Miio, which offers mobile telecommunications and financial services to customers in Mexico, has suffered a massive data breach that has exposed up to three million Know Your Customer (KYC) files.
Findings from Cybernews say the files were allegedly left unattended for at least several months and contained files dating back to 2017, when the company was started. This strongly suggests that all Miio customers were affected, with 2.9 million scans of various KYC documents found, including passports and IDs, driving licenses and customer photos.
There is no evidence yet that malicious actors gained access to the data, but since researchers were able to access it, it is likely that others have as well. Publicly issued identifications are incredibly valuable to attackers as they can facilitate identity theft and fraud.
Unaware or unwilling
The researchers discovered the leak on September 12, 2024, and the first notice was sent on October 2, and the storage bin has now been open for at least three months. The researcher’s attempts to reach out have been ‘met with silence’.
If the KYC documents have fallen into the wrong hands, the attackers can open bank accounts, apply for loans or take out credit cards in the victim’s name.
With the type of ID documents found and customer selfies for verification, researchers warn that this could allow hackers to take over existing customer accounts, so victims should be ultra-vigilant in the coming months.
“In the context of Miio’s role as a telco bank serving a broad base of customers, such a leak would undermine confidence in its ability to protect sensitive data and expose its users to serious financial and personal risks,” the researchers said.
