Canadian Money Transfer App Duc Left Thousands of Driver's Licenses and Passports on Open Server

Duc, a Canadian money transfer app, exposed a large volume of sensitive customer identity documents including driver's licenses and passports on an Amazon-hosted server that required no password to access, TechCrunch reported. The exposed server allowed anyone with the URL to access customer verification documents that Duc had collected as part of its identity verification process. Financial apps operating in Canada are required to collect identity documents from users under anti-money laundering and know-your-customer regulations, making the data particularly sensitive. The researcher who discovered the open server found thousands of identity documents accessible without authentication. The documents included government-issued photo identification that could be used for identity theft, fraudulent account creation, or other forms of financial fraud. Duc was notified of the exposure and secured the server following TechCrunch's inquiry. The company did not immediately confirm how long the server had been accessible or whether any unauthorized parties had accessed the data before it was secured. The incident follows a pattern of fintech and payments apps mishandling sensitive identity document storage. Many smaller financial apps collect identity documents as part of onboarding flows but lack the security infrastructure to protect them appropriately, either storing them in misconfigured cloud storage or retaining them longer than necessary. Regulators including Canada's Office of the Privacy Commissioner have the authority to investigate and fine organizations that fail to protect personal information adequately. The exposure of identity documents of this sensitivity would typically trigger mandatory breach notification obligations under Canada's Personal Information Protection and Electronic Documents Act.