"The breach is a sharp illustration of a structural gap now running through the fintech industry: regulatory compliance frameworks increasingly require apps to collect government-issued identity documents, but the compliance burden rarely extends with equal force to how that data is stored after collection."
"According to a 2025 Jumio survey, more than 70 percent of fintech apps now require users to upload a government-issued ID during onboarding. Yet industry analyses consistently find that many small and mid-size operators lack even basic protections like server-side encryption or access logging for the document repositories they build."
"Security researcher Anurag Sen of CyPeace discovered the misconfigured server and contacted TechCrunch to help identify the data's owner. The files dated back to September 2020 and were being uploaded daily, meaning the exposure was not a historical snapshot but an actively growing repository of sensitive identity documents."
Duc's money-transfer app left an Amazon-hosted server publicly accessible, exposing unencrypted files containing sensitive personal data such as driver's licenses, passports, and transaction records. Regulatory compliance in the fintech industry requires apps to collect government-issued IDs, but there is little obligation to protect this data post-collection. A 2025 survey indicates over 70% of fintech apps require such IDs, yet many lack basic security measures. The exposed server accumulated sensitive documents for nearly four years, representing a significant risk to personal data security.
Read at Silicon Canals
Unable to calculate read time
Collection
[
|
...
]