Massive Data Breach: Online Gift Card Store Leaks Hundreds of Thousands of Identity Documents
In a significant security breach, a U.S. online gift card store has unintentionally exposed sensitive customer data, including government-issued identity documents, due to a misconfigured online storage server. This incident raises serious concerns about data privacy and compliance with anti-money laundering regulations.
Details of the Security Lapse
A security researcher known as JayeLTee discovered the exposed storage server late last year, which contained a staggering amount of sensitive information. This included:
- Driving licenses
- Passports
- Other government-issued identity documents
The data belonged to MyGiftCardSupply, an online platform that allows customers to purchase digital gift cards for various popular brands and services.
Compliance and KYC Checks
According to MyGiftCardSupply’s website, customers are required to upload copies of their identity documents to comply with U.S. anti-money laundering (AML) regulations, commonly referred to as “know your customer” (KYC) checks. Unfortunately, the storage server housing these documents was left unsecured and accessible without a password, exposing the sensitive data to the public.
Response from MyGiftCardSupply
JayeLTee brought the data breach to the attention of TechCrunch after MyGiftCardSupply failed to respond to his initial communication regarding the security issue. Upon inquiry, MyGiftCardSupply’s founder Sam Gastro confirmed the breach and stated:
“The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification.”
However, Gastro did not disclose how long the data had been exposed or whether the company would notify the affected individuals.
Extent of the Data Exposure
According to JayeLTee, the exposed data was hosted on Microsoft’s Azure cloud and included:
- Over 600,000 front and back images of identity documents
- Selfie photos of around 200,000 customers
The most recent document uploaded was dated December 31, 2024, indicating the server was actively used just before it was secured. This incident highlights the ongoing vulnerabilities associated with KYC checks, which are essential for verifying customer identities.
Context Within Recent Data Breaches
This incident is part of a troubling trend of data breaches involving identity documents. In a notable case last April, a hacker allegedly stole a vast screening database called World-Check, used to assess customer risk levels. The leaked data included:
- Names
- Dates of birth
- Passport and Social Security numbers
- Bank account numbers
Additionally, JayeLTee reported another data exposure incident involving Roomster, a roommate-finding site, where around 320,000 identity documents were similarly compromised. The company claimed no evidence of malicious access to the data.
Conclusion
This ongoing issue with data security underscores the necessity for robust protective measures and compliance with regulations in handling sensitive customer information. As companies like MyGiftCardSupply and Roomster navigate these challenges, vigilance and transparency will be crucial in restoring customer trust.
For more information on data security best practices, visit CISA.
