An online gift card store in the United States has secured an online storage server that was exposing hundreds of thousands of its customers' government-issued identification cards to the Internet.
A security researcher who goes by the online handle “JayeLTee” said late last year that his driver's licenses, passports and other forms of identification belonging to My GiftCardSupply, a company that sells digital gift cards that customers can redeem from popular brands or online, were stolen. I discovered a public storage server where it was stored. service.
My GiftCardSupply's website states that as part of its compliance with US anti-money laundering regulations, known as “Know Your Customer” checks (KYC), it requires customers to upload a copy of their identification documents .
However, the storage server where the files were stored had no password, allowing anyone on the internet to access the data stored inside.
JayeLTee alerted TechCrunch to the breach last week after My GiftCardSupply did not respond to researchers' emails regarding the leaked data.
When contacted by TechCrunch, My GiftCardSupply founder Sam Gastro acknowledged the security flaw. “The files are now secure and we have a full audit of our KYC verification procedures,” Gastro said. “From now on, we plan to promptly delete files after verifying the user's identity.”
Gastro has not said how long the data has been exposed on the internet, nor has it promised to notify affected individuals whose information remains exposed. Gastro also did not address why My GiftCardSupply did not respond to the researchers' emails at the time or correct the security lapses.
According to JayeLTee, the leaked data, hosted on Microsoft's Azure cloud, included more than 600,000 images of the front and back of ID cards and selfies of approximately 200,000 customers. It is not uncommon for companies subject to KYC checks to ask customers to take a selfie with a copy of their ID to confirm who they say they are and to weed out counterfeits. .
The latest document uploaded on the server was dated December 31, 2024, the day before My GiftCardSupply secured its public servers. Thousands of customers had uploaded their identification documents over the past few weeks, indicating that the storage server was in active use.
This is the latest in a long list of incidents and data breaches in recent years related to identity documents for KYC checks, which remain one of the most trusted technologies for verifying customer identities.
Last April, a hacker claimed to have stolen a large screening database called World-Check. This database is a database used by companies to determine whether customers are high risk or involved in potential crimes. A copy of the leaked data showed that the database included names, dates of birth, passport numbers, social security numbers, and bank account numbers.
JayeLTee separately reported on Thursday that it had discovered another cache of exposed KYC documents, including about 320,000 passports and driver's licenses, from the roommate search site Roomster.
JayeLTee said in a blog post that it's unclear exactly how many individuals were affected by Roomster's security lapses, and that company CEO John Shriber did not respond to TechCrunch's email seeking comment. said. Roomstar was charged by the Federal Trade Commission and ordered to pay $1.6 million in 2023 for allegedly defrauding millions of users by posting unverified product listings and fake reviews.