In a serious security lapse, an online gift card store in the U.S. has exposed hundreds of thousands of customers’ government-issued identity documents. These documents, which include passports, driving licenses, and other sensitive information, were left unprotected on a publicly accessible storage server. This breach has raised alarms about the security practices of companies handling sensitive customer data, especially those subject to anti-money laundering and know your customer (KYC) regulations.
The Data Exposure: What Happened?
The exposed data was found by a security researcher, known online as JayeLTee, who discovered an unsecured storage server linked to MyGiftCardSupply, a platform that allows users to buy digital gift cards from popular brands. To comply with U.S. anti-money laundering regulations, MyGiftCardSupply requires customers to upload identity documents as part of their KYC checks.
However, the company failed to secure its storage server properly, leaving it without a password. As a result, anyone on the internet could access the documents, which included over 600,000 images of identity documents and selfie photos of around 200,000 customers. This lapse exposed sensitive personal data to potential misuse.
The Impact of the Breach
The data exposed in the breach included critical documents such as passports, driving licenses, and selfie photos used for identity verification. The most recent document uploaded was dated December 31, 2024, and the exposed documents spanned weeks prior, indicating that the server was actively used during this period.
The exposed data was hosted on Microsoft’s Azure cloud, which raises further questions about how such a breach occurred on a reputable cloud platform. The breach also highlights growing concerns over the effectiveness of KYC checks—a process that, while essential for preventing fraud, can expose sensitive personal data if not properly secured.
Company’s Response to the Data Exposure
When TechCrunch reached out, MyGiftCardSupply founder Sam Gastro confirmed the breach, assuring that the files are now secure. The company has promised to conduct a full audit of its KYC procedures and stated that it would delete the files promptly after verifying the customer’s identity moving forward. However, Gastro did not confirm how long the data had been exposed, nor did the company commit to notifying affected individuals.
This security incident follows a troubling pattern of breaches involving KYC documents, with previous breaches involving significant data leaks, including the World-Check database and incidents with other companies like Roomster, which was also reported for leaking customer identity documents.
A Growing Trend of Data Exposures in KYC Systems
This incident underscores a growing concern in the cybersecurity community: the vulnerability of KYC data. KYC checks are meant to help verify customer identities and prevent fraud, but if the data is not handled with utmost care, it can lead to massive security breaches.
In addition to MyGiftCardSupply, Roomster, an online roommate finding platform, also faced a similar issue, where 320,000 passports and driver’s licenses were exposed. Such incidents have prompted a broader conversation about the need for more robust data protection policies for businesses handling sensitive customer information.
Conclusion: Why Data Security Matters More Than Ever
The MyGiftCardSupply breach serves as a reminder of the risks companies face when handling sensitive personal data. While KYC checks are vital for preventing fraud, businesses must implement the highest levels of security to protect customers’ identity documents. The breach raises questions about cloud storage security, the effectiveness of compliance processes, and the responsibilities companies have to safeguard consumer data.
As businesses continue to expand their digital services, it’s essential to ensure that customer data, especially identity documents, is handled securely. Failure to do so could lead to irreversible damage to customer trust and brand reputation.
Sources:
