Skip to content
Tech News
← Back to articles

Money transfer app Duc exposed thousands of driver’s licenses and passports to the open web

2026-04-02 | original
read original get Identity Theft Protection Kit → more articles
Why This Matters

The exposure of sensitive personal data by the Duc money transfer app highlights the ongoing risks of insecure cloud storage practices in the fintech industry. Such lapses can compromise user privacy and erode trust in digital financial services, emphasizing the need for robust security measures. This incident serves as a reminder for companies to prioritize data security to protect consumers and maintain industry integrity.

Key Takeaways

A publicly accessible Amazon-hosted storage server allowed anyone with a web browser to access potentially hundreds of thousands of people’s personal data without needing a password. This included driver’s licenses, passports, and other personal information collected by the Duc App, a money-transfer service owned by Toronto-based Duales.

The Canadian fintech company said it resolved the data exposure on Tuesday after TechCrunch alerted its chief executive that one of the company’s cloud storage servers was publicly listing its contents, without a password.

The data was also stored unencrypted, meaning anyone with a link to the data was able to view it in full.

Anurag Sen, a security researcher at CyPeace who discovered the security lapse earlier in the week, contacted TechCrunch in an effort to notify the data’s owner. Sen said that anyone could view and download the data using their browser just by knowing the easy-to-guess web address of the storage server.

According to Sen, the Amazon-hosted storage server listed over 360,000 files containing government-issued documents and other information used by customers to verify their identity through “know your customer” checks. These files included user-uploaded selfies to prove their real-world likeness.

TechCrunch could not ascertain the precise number of exposed driver’s licenses and passports; however, several folders in the exposed bucket each contained tens of thousands of user-uploaded files, a sampling of which listed driver’s licenses, passports, and selfies.

Duales touts its app as a way for users to send money to other users, including overseas in Cuba and elsewhere. Its Android app listing on the Google Play app store shows more than 100,000 user downloads to date.

The files, which dated back to September 2020 and were being uploaded daily, also contained spreadsheets listing customer names, home addresses, and the dates, times, and details of their transactions.

When reached by email, Duales chief executive Henry Martinez González told TechCrunch that the data was stored on a “staging site,” referring to a website used primarily for testing, but did not explain why customers’ personal information was publicly accessible in the same database.

“All protections are in place,” Martinez said. “We are notifying the appropriate parties. We have not contracted any services from you.”

... continue reading

Explore topics: duc app duales amazon web services driver’s licenses passports
Related:
Iran Threatens to Start Attacking Major US Tech Firms on April 1
European Commission Investigating Breach After Amazon Cloud Account Hack
European Commission confirms data breach
European Commission confirms cyberattack after hackers claim data breach
Senators Elizabeth Warren and Josh Hawley Push for Data Center Energy Transparency

© 2026 GoKawiil

About | Editorial Policy | Contact