Duc Money Transfer App Left Hundreds of Thousands of Passports and Driver's Licenses Exposed Online

Duc App's Unsecured Server Exposed Massive Trove of Customer Identity Data

A major security lapse at Toronto-based fintech company Duales has left potentially hundreds of thousands of customers vulnerable after a cloud storage server was found to be openly accessible on the internet — completely without password protection.

The exposed server, hosted on Amazon's cloud infrastructure, allowed anyone with a web browser to freely view and download sensitive personal data collected through the company's money transfer platform, the Duc App. The exposed files included government-issued identification documents such as driver's licenses and passports, personal selfies submitted for identity verification, and detailed financial transaction records.

How the Security Flaw Was Discovered

Security researcher Anurag Sen of CyPeace stumbled upon the unprotected server earlier this week and immediately reached out to TechCrunch to help identify and notify the data's owner. According to Sen, the server's web address was straightforward enough to guess, making it trivially easy for anyone to locate and access the data without any technical expertise.

The Amazon-hosted storage server was found to contain more than 360,000 files, many of which were uploaded as part of standard "know your customer" (KYC) identity verification procedures. These files dated as far back as September 2020 and were reportedly still being uploaded on a daily basis at the time of discovery.

Making matters worse, none of the stored data was encrypted — meaning that every document, image, and spreadsheet was fully readable by anyone who accessed the server.

What Data Was Compromised

The full scope of the exposure is significant. Among the leaked files were:

• Government-issued identification documents including driver's licenses and passports
• Customer selfies used to confirm real-world identity during KYC verification
• Spreadsheets containing customer names and home addresses
• Detailed transaction records including the dates, times, and specifics of financial transfers

While TechCrunch was unable to confirm the exact number of exposed identification documents, multiple folders within the storage server each held tens of thousands of individual files.

Company's Response Falls Short

After TechCrunch contacted Duales CEO Henry Martinez González directly, the company moved to restrict access to the files. However, a directory listing of the server's contents remained visible even after the files themselves were locked down.

In his response, Martinez González downplayed the incident by describing the server as a "staging site" — typically used for internal testing — but offered no explanation for why live customer data was being stored there in an unprotected state.

"All protections are in place," he stated. "We are notifying the appropriate parties."

Notably, the CEO declined to clarify whether the company possessed the technical logs necessary to determine who may have accessed the data or how many times it was viewed or downloaded.

The Duc App's website also experienced a brief outage on Thursday, displaying a "bad gateway" error.

Regulators Take Notice

Canada's federal privacy watchdog has since been drawn into the matter. The Office of the Privacy Commissioner of Canada confirmed it had reached out to Duales to gather more information and assess what regulatory action, if any, may be warranted.

"The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps," a spokesperson confirmed to TechCrunch.

A Growing Pattern of Identity Data Breaches

This incident is far from isolated. As digital platforms increasingly require users to submit government-issued ID as part of onboarding and age verification processes, the risks of mishandling that data are becoming more apparent.

Just last year, the social platform TeaOnHer exposed thousands of users' passports and driver's licenses that had been uploaded as a condition of accessing its gated community features. Discord also confirmed a breach affecting approximately 70,000 government-issued documents tied to its age verification process, amid growing global momentum toward mandatory online age-checking legislation.

Amazon has made efforts in recent years to help developers avoid these types of misconfigurations by introducing automated security checks on its cloud services. Despite these safeguards, lapses continue to occur — often with serious consequences for the individuals whose data is left unprotected.

What Users Should Do

If you are a current or former user of the Duc App, it is advisable to:

• Monitor your financial accounts for any suspicious activity
• Be alert to phishing attempts that may use your personal information
• Consider placing a fraud alert with your country's relevant credit or identity protection services
• Stay informed for any official notifications from Duales regarding the breach

The incident serves as a stark reminder that collecting sensitive personal data comes with an equally serious responsibility to protect it.