by Ken Macon, Reclaim The Net:
The incident exposes the growing vulnerabilities tied to digital ID systems and mandatory KYC data collection.
A US-based online gift card retailer has resolved a critical data exposure incident that left highly sensitive customer identity documents accessible on the internet, raising concerns about the growing risks posed by mandatory data collection under “know your customer” (KYC) and digital ID regulations.
TRUTH LIVES on at https://sgtreport.tv/
The issue came to light when a security researcher, known by the alias JayeLTee, discovered an unprotected storage server linked to MyGiftCardSupply. According to TechCrunch, the server, which lacked even basic password protection, contained hundreds of thousands of government-issued IDs, including driver’s licenses and passports, as well as selfies submitted by customers. These documents are required by the company to comply with US anti-money laundering laws, which mandate identity verification for certain transactions.
Despite an attempt by JayeLTee to notify MyGiftCardSupply about the exposure, the company did not respond until TechCrunch reported the breach. MyGiftCardSupply’s founder, Sam Gastro, later confirmed the issue. “The files are now secure, and we are doing a full audit of the KYC verification procedure,” Gastro stated. He also pledged that the company would delete identity documents promptly after verification in the future.
Gastro declined to disclose how long the data had been exposed or whether customers would be informed of the breach. He also did not address why the company ignored the initial warning from the researcher or failed to act sooner to secure the information.
According to JayeLTee, the server, hosted on Microsoft’s Azure cloud platform, contained over 600,000 images of identity documents and selfies from approximately 200,000 customers. These materials are a part of controversial KYC procedures, intended to confirm identities and prevent fraud.
This incident not only underscores the dangers of mishandled personal data but also raises broader concerns about the risks associated with escalating data collection mandates.
As governments worldwide push for stricter KYC regulations and the implementation of digital ID systems, companies are being compelled to gather and store ever-larger amounts of sensitive information. Such expansive data requirements, while aimed at curbing fraud and enhancing security, also increase the likelihood of breaches, exposing customers to significant privacy and security risks.
