Gift Card Store Exposes Customer Identity Documents: A Security Wake-Up Call
In a concerning security lapse, a U.S. online gift card retailer, MyGiftCardSupply, inadvertently exposed hundreds of thousands of customer identity documents on the internet. This revelation came to light when a vigilant security researcher known as JayeLTee discovered the unprotected server late last year. The server, which contained sensitive information such as driving licenses and passports, was accessible to anyone online without a password.
- Over 600,000 identity document images were exposed.
- The data was hosted on Microsoft’s Azure cloud platform.
- Documents included selfies with IDs for verification purposes.
“The files are now secure, and we are doing a full audit of the KYC verification procedure.”
— Sam Gastro, Founder of MyGiftCardSupply
MyGiftCardSupply requires customers to upload identity documents to comply with U.S. anti-money laundering regulations, often referred to as “know your customer” (KYC) checks. However, the lack of basic security measures left these files vulnerable until the issue was flagged by TechCrunch, after JayeLTee’s initial alert went unanswered by the company.
Sam Gastro, the founder of MyGiftCardSupply, confirmed the breach and stated that immediate measures have been taken to secure the files. Additionally, he promised a policy shift towards deleting identity files promptly post-verification. Despite these assurances, Gastro did not disclose how long the data was exposed or commit to notifying affected customers.
This incident isn’t isolated. It’s part of a growing trend where companies handling KYC procedures face challenges in securing personal data. Just last year, a massive database used for screening high-risk individuals was reportedly stolen by hackers. Similarly, another cache of KYC documents from Roomster was found exposed by JayeLTee, underscoring the persistent vulnerabilities in data security practices across industries.
The lesson here is clear: businesses must prioritize robust security measures to protect sensitive customer information. As consumers increasingly trust companies with their personal data, ensuring its protection is not just a regulatory requirement but a fundamental responsibility.
