ADVERTISEMENT

Mexican fintech startup Kapital leaves client IDs and selfies leaking for months

Small business owners in Mexico should know that their financial partners might leak sensitive personal information. Researchers have discovered a huge exposed database containing voter IDs and selfies collected by the financial technology firm Kapital.

Kapital, fintech, research

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Dec 10, 2024 Updated: 8 December 2025 2 min read
voter-id-kapital

Clients at risk

ADVERTISEMENT
Marcus Walsh Paulina Okunyte Stefanie justinasv
Get our latest stories today on Google News
Add us as your Preferred Source on Google.

What the firm should’ve done

  • Encryption: Enable server-side encryption for the bucket to ensure that data stored within it is encrypted at rest. Additionally, consider implementing client-side encryption for added security, especially for highly sensitive data.
  • Monitor access logs retrospectively: This helps assess whether unauthorized actors have accessed the bucket.
  • Regular Security Audits: Establish a schedule for regular security audits and reviews of all Google Cloud Storage buckets to identify and address any security risks or vulnerabilities proactively. This can help prevent future data leaks and ensure ongoing compliance with security best practices.
  • Consider implementing security best practices: Ensure compliance with strong security frameworks and certifications.
  • Inform: contact the affected parties and provide support.

Disclosure timeline

  • September 8th, 2024: leak discovered.
  • September 10th, 2024: initial disclosure email sent to Kapital.
  • October 23rd, 2024: disclosure to CERT-MX.
ADVERTISEMENT