- The Duc app exposed 360,000 unencrypted customer files
- Data included IDs, addresses and transaction details
- Database secured after researcher warned company
Duc App, a Canadian money transfer service provider, leaked sensitive customer data to the wide web so that anyone with an internet connection and a browser could access it.
Security researcher Anurag Sen of CyPeace recently discovered a publicly available Amazon-hosted storage server with sensitive data on hundreds of thousands of people.
This included people’s names, home addresses, but also dates, times and details of their transactions. They also contained driver’s licenses, passports and other documents collected during the Know Your Customer (KYC) registration process.
The article continues below
Locking the database
Sen said the server listed more than 360,000 files, all in unencrypted format and available to anyone who knew where to look. After making the discovery, Sen reached out to TechCrunch to help contact the Duc App’s owners, a company called Duales.
The publication managed to contact the owners, who locked down the database shortly afterwards. TechCrunch said it could not confirm the number of suspended licenses and passports, but said it saw “several folders” of tens of thousands of user-uploaded files dating back to September 2020 that were being uploaded daily.
In an email statement shared with the publication, Duale CEO Martinez González said the data was stored in a “staging site” — meaning the website was mostly used for testing. However, he did not explain why the database was publicly available.
“All protections are in place,” Martinez González said. “We will notify the relevant parties. We have not entered into a contract with you.” We don’t know if any malicious third parties managed to find the database before Sen, but it’s always possible. Cybercriminals often scan the wider web for vulnerable databases like this one.
In general, cloud misconfigurations are the number one cause of data leaks and spills, mostly due to the misconception that cloud security is primarily the responsibility of the service provider.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
