Duc App Data Exposure - Thousands of Licenses Leaked Online
Basically, a money transfer app accidentally made many people's IDs visible online.
A data breach involving the Duc App has exposed thousands of driver's licenses and passports to the public. This incident raises serious concerns about data security practices. Users are urged to monitor their information closely and take protective measures.
What Happened
A serious data breach occurred when a publicly accessible Amazon-hosted storage server allowed anyone to access sensitive customer data from the Duc App. This money transfer service, operated by the Canadian fintech company Duales, inadvertently exposed potentially hundreds of thousands of personal records without requiring any password for access. The breach was discovered by security researcher Anurag Sen, who found that anyone with the web address could view and download the data.
Who's Affected
The exposed data includes driver’s licenses, passports, and other personal information used for identity verification. According to estimates, over 360,000 files were stored on the server, which included user-uploaded selfies meant to verify their identities. The Duc App has more than 100,000 downloads on the Google Play Store, indicating a significant number of users could be impacted.
What Data Was Exposed
The data exposure included:
- Government-issued documents such as driver's licenses and passports.
- User-uploaded selfies for identity verification.
- Spreadsheets containing customer names, home addresses, and transaction details. This sensitive information, dating back to September 2020, was stored unencrypted, making it easily accessible to anyone who discovered the link.
What You Should Do
If you are a user of the Duc App, it is crucial to take immediate action to protect your identity. Here are steps you can follow:
- Monitor your accounts for any suspicious activity.
- Consider placing a fraud alert on your credit report to prevent identity theft.
- Regularly check your financial statements and report any unauthorized transactions.
- Stay informed about any updates from Duc App regarding this breach.
Immediate Actions
Duales has stated that they resolved the data exposure after being notified. However, the chief executive did not clarify how many people accessed the data or if they had the means to track access logs. The Canadian privacy regulator is now involved, seeking more information from the company to determine the next steps. This incident underscores the importance of securing sensitive data, especially as more apps require users to upload personal documents for verification.