A significant security breach has left hundreds of thousands of individuals vulnerable after an online gift card retailer, MyGiftCardSupply, inadvertently exposed sensitive government-issued identity documents on the internet. This alarming incident highlights ongoing challenges with safeguarding sensitive customer data, particularly when complying with “know your customer” (KYC) regulations.
Publicly Accessible Server Discovered by Security Researcher
The breach came to light late last year when security researcher JayeLTee discovered an unsecured online storage server belonging to MyGiftCardSupply. The server contained highly sensitive information, including driver’s licenses, passports, and selfie photos required for KYC verification. These checks are mandated by U.S. anti-money laundering regulations to ensure that businesses verify their customers’ identities.
Shockingly, the server had no password protection, leaving its contents accessible to anyone on the internet. According to JayeLTee, the exposed server hosted over 600,000 images of identity documents and approximately 200,000 selfie photos of customers, with the most recent uploads dated as late as December 31, 2024. This suggests that the server was actively in use until it was finally secured.
Researcher’s Warning Ignored
Despite alerting MyGiftCardSupply to the exposure, JayeLTee’s initial email went unanswered, prompting the researcher to escalate the matter publicly last week. Following this, MyGiftCardSupply’s founder, Sam Gastro, confirmed the security lapse and stated that the files were now secure. “We are doing a full audit of the KYC verification procedure,” said Gastro. “Going forward, we will promptly delete files after completing the identity verification process.”
However, Gastro declined to provide critical details, such as how long the data had been exposed or whether affected individuals would be notified. He also did not address why the company failed to respond to the researcher’s initial warning or take immediate remedial action.
The Growing Risks of KYC Data Breaches
This breach is part of a troubling trend involving the exposure of sensitive identity documents required for KYC compliance. Companies frequently request customers to upload selfies holding their IDs to verify authenticity and prevent forgeries, but inadequate security measures often place this data at risk.
In this case, the exposed data was hosted on Microsoft Azure’s cloud infrastructure. While Azure provides robust security tools, it’s ultimately the company’s responsibility to implement proper access controls. The sheer scale of the exposure—affecting hundreds of thousands of customers—highlights the potentially devastating consequences of lax cybersecurity practices.
Roomster’s Security Lapse Adds to the Problem
Just days after reporting the MyGiftCardSupply breach, JayeLTee revealed another cache of exposed KYC documents. This time, the documents originated from Roomster, a roommate-finding platform. According to the researcher, the exposed data included around 320,000 passports and driver’s licenses. It remains unclear how many individuals were impacted by the Roomster breach.
In response, Roomster’s general counsel, Charles Brofman, downplayed the incident, stating, “We have no reason to believe that anyone has hacked the folder or accessed the data for nefarious purposes.” This statement comes amid lingering scrutiny of Roomster’s business practices, as the company was ordered in 2023 to pay $1.6 million following a Federal Trade Commission complaint for allegedly defrauding users with unverified listings and fake reviews.
A Wake-Up Call for Data Security
Data breaches involving KYC documentation are becoming alarmingly frequent, raising questions about whether current practices are sustainable. Just last year, a hacker claimed to have stolen a massive screening database known as World-Check, which is used to identify high-risk customers. That breach exposed names, birthdates, passport numbers, Social Security numbers, and bank account details.
The MyGiftCardSupply incident underscores the urgent need for businesses to strengthen their data protection practices. Implementing robust encryption, regularly auditing security protocols, and promptly deleting sensitive data are just a few steps companies can take to mitigate risk. Customers, too, must remain vigilant about where and how they share personal information, especially with companies requiring KYC compliance.
As regulators push for stricter compliance measures, companies must prioritize cybersecurity to protect their customers and maintain public trust. Incidents like these serve as a stark reminder of what’s at stake when sensitive data is left unprotected in an increasingly digital world.
