MyGiftCardSupply Exposed Customer IDs
MyGiftCardSupply, a U.S. online gift card store, exposed hundreds of thousands of customer identity documents due to an unsecured online storage server. The exposed data included driver's licenses, passports, and selfies, impacting approximately 200,000 customers. The company uses these documents for KYC (Know Your Customer) compliance, a common practice for anti-money laundering regulations.
Discovery and Response
Security researcher JayeLTee discovered the exposed server, hosted on Microsoft Azure, and alerted MyGiftCardSupply, who did not respond. TechCrunch subsequently contacted the company, leading to the server being secured. The company's founder confirmed the lapse and stated they would audit their verification process and delete files after verification in the future. However, they did not clarify the duration of the exposure or commit to notifying affected customers. Apple's $95 Million Siri Privacy Settlement highlights the potential consequences of such breaches.
KYC Vulnerabilities
This incident underscores the risks associated with storing sensitive KYC data. It follows other similar breaches, including the alleged theft of the World-Check database and an exposed data cache from Roomster, a roommate finding site. VPN App Removals from App Stores in India and China demonstrate a growing concern for online privacy and security.
Impact and Future Steps
The most recent upload on the server was dated December 31, 2024, indicating active use before the discovery. The incident raises concerns about the security of KYC procedures and the need for stronger data protection measures. Honey Extension Controversy further emphasizes the importance of user trust and data security.