Duales: Top money transfer site Duc leaks user passport and driving license data info online

Duc App Exposed 360,000 Unencrypted Customer Files in Major Data Leak

A Canadian money transfer service, Duc App, left a publicly accessible Amazon-hosted database containing sensitive customer data, exposing over 360,000 unencrypted files. Security researcher Anurag Sen of CyPeace discovered the breach, which included personal details such as names, home addresses, transaction records, and KYC documents like driver’s licenses and passports.

The exposed files, dating back to September 2020 and updated daily, were accessible to anyone with an internet connection. After Sen alerted TechCrunch, the publication contacted Duc App’s parent company, Duales, which secured the database. Duales CEO Martinez González confirmed the data was stored on a "staging site" but did not explain why it was publicly accessible.

While the company stated that "all protections are now in place," it remains unclear whether malicious actors accessed the data before its discovery. Cloud misconfigurations, often due to misunderstandings about security responsibilities, are a leading cause of such leaks. The incident highlights ongoing risks in improperly secured cloud storage.

Source: https://www.techradar.com/pro/security/top-money-transfer-site-duc-leaks-user-passport-and-driving-license-data-info-online

Duales cybersecurity rating report: https://www.rankiteo.com/company/duales

"id": "DUA1775235439",
"linkid": "duales",
"type": "Breach",
"date": "9/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '360,000+',
                        'industry': 'FinTech',
                        'location': 'Canada',
                        'name': 'Duc App',
                        'type': 'Money Transfer Service'}],
 'attack_vector': 'Cloud Misconfiguration',
 'data_breach': {'data_encryption': 'No (unencrypted files)',
                 'file_types_exposed': ['Driver’s licenses',
                                        'Passports',
                                        'Transaction records'],
                 'number_of_records_exposed': '360,000+',
                 'personally_identifiable_information': 'Yes (names, home '
                                                        'addresses, government '
                                                        'IDs)',
                 'sensitivity_of_data': 'High (PII, financial data, '
                                        'government-issued IDs)',
                 'type_of_data_compromised': ['Personal details',
                                              'Transaction records',
                                              'KYC documents']},
 'date_detected': '2023-09-00',
 'date_publicly_disclosed': '2023-09-00',
 'date_resolved': '2023-09-00',
 'description': 'A Canadian money transfer service, Duc App, left a publicly '
                'accessible Amazon-hosted database containing sensitive '
                'customer data, exposing over 360,000 unencrypted files. The '
                'exposed files included personal details such as names, home '
                'addresses, transaction records, and KYC documents like '
                'driver’s licenses and passports. The data was accessible to '
                'anyone with an internet connection until it was secured after '
                'being reported.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage',
            'data_compromised': '360,000 unencrypted files',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Potential regulatory fines',
            'payment_information_risk': 'High',
            'systems_affected': 'Amazon-hosted database'},
 'investigation_status': 'Resolved (database secured)',
 'lessons_learned': 'Cloud misconfigurations due to misunderstandings about '
                    'security responsibilities are a leading cause of data '
                    'leaks. Proper access controls and encryption are critical '
                    'for sensitive data storage.',
 'post_incident_analysis': {'corrective_actions': 'Database secured, '
                                                  'protections implemented '
                                                  '(per company statement)',
                            'root_causes': 'Cloud misconfiguration (publicly '
                                           'accessible database), lack of '
                                           'encryption for sensitive data'},
 'recommendations': ['Implement strict access controls for cloud databases',
                     'Encrypt sensitive customer data at rest and in transit',
                     'Conduct regular security audits of cloud environments',
                     'Train staff on shared responsibility models in cloud '
                     'security',
                     'Establish a clear incident response plan for data leaks'],
 'references': [{'date_accessed': '2023-09-00', 'source': 'TechCrunch'},
                {'date_accessed': '2023-09-00',
                 'source': 'CyPeace (Security Researcher Anurag Sen)'}],
 'regulatory_compliance': {'regulations_violated': ['Potential PIPEDA (Canada)',
                                                    'Potential GDPR (if EU '
                                                    'customers affected)']},
 'response': {'communication_strategy': 'Public disclosure via TechCrunch',
              'containment_measures': 'Database secured after notification',
              'remediation_measures': 'All protections now in place (per '
                                      'company statement)',
              'third_party_assistance': 'Security researcher Anurag Sen of '
                                        'CyPeace'},
 'title': 'Duc App Exposed 360,000 Unencrypted Customer Files in Major Data '
          'Leak',
 'type': 'Data Leak',
 'vulnerability_exploited': 'Publicly accessible database'}