An online gift card store in the US has secured an online storage server that publicly exposed hundreds of thousands of customers’ government-issued IDs online.
A security researcher who goes by the online handle JayeLTee found the publicly exposed storage server late last year that contained driver’s licenses, passports and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards to customers to redeem at popular brands and online. services.
MyGiftCardSupply’s website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with US anti-money laundering rules, often known as “know your customer” checks or KYC.
But the storage server containing the files had no password, allowing anyone on the Internet to access the data stored inside.
JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher’s email about the exposed data.
When reached by TechCrunch, MyGiftCardSupply founder Sam Gastro confirmed the security breach. “The files are now secure and we are doing a full audit of the KYC verification procedure,” Gastro said. “In the future, we will delete the files immediately after we do the identity verification.”
Gastro would not say how long the data was exposed online, nor would the company commit to notifying the affected individuals whose information was made public. Gastro also did not address why MyGiftCardSupply did not respond to the researcher’s email or fix the security flaws at the time.
According to JayeLTee, the exposed data – hosted on Microsoft’s Azure cloud – contained over 600,000 front and back images of ID documents and selfies of around 200,000 customers. It is not uncommon for companies undergoing KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are and to eliminate fakes.
The most recent document uploaded to the server was dated December 31, 2024, the day before MyGiftCardSupply secured the exposed server. Thousands of customers uploaded their identity documents in the previous weeks, suggesting that the storage server was actively used.
This is the latest in a long list of incidents and data breaches in recent years involving identity documents for KYC checks, which remains one of the most widely supported techniques for verifying customer identity.
Last April, a hacker claimed to have stolen a massive screening database called World-Check, a database used by companies to determine whether customers are high-risk or involved in potential criminality. A copy of the leaked records showed the database contained names, dates of birth, passport and Social Security numbers and bank account numbers.
JayeLTee reported separately on Thursday that it found another cache of exposed KYC documents, including about 320,000 passports and driver’s licenses, from the roommate-finding site Roomster.
In a blog post, JayeLTee said it wasn’t clear exactly how many individuals were affected by the Roomster security breach, and its CEO John Shriber did not return TechCrunch’s email seeking comment. Roomster in 2023 was ordered to pay $1.6 million after a Federal Trade Commission complaint for allegedly defrauding millions of its users by posting unverified listings and fake reviews.
