Fintech exposes millions of customer files, fails to close the leak


Several million passports, voter IDs, and other documents have sat unguarded for at least several months, and the company is either unaware or unwilling to take action.

The exposed data, stored on a popular cloud service providers’ bucket, contains nearly three million files, primarily consisting of Know Your Customer (KYC) documents. These are crucial for verifying users’ identities to comply with anti-money laundering regulations.

The leak, which the Cybernews research team discovered in early September, was attributed to a Mexican company, Miio. The firm provides financial services and low-cost mobile phone plans – which explains why it needs to store KYC documents.

ADVERTISEMENT

According to the team, the exposed files cover the period 2017 through 2024. Since the company was established in 2017, this strongly suggests all of its customers were impacted by the leak.

The team noted that the unprotected bucket contains 2.9 million scans of various KYC documents, such as:

  • Passports and IDs
  • Driver’s licenses
  • Voter IDs
  • Selfies for verification

All of the following serve as proof of identity. As has become customary for remote ID verification, after uploading a government-issued ID, users are often required to take a selfie to confirm they’ve submitted their own data.

Ernestas Naprys Marcus Walsh profile jurgita Stefanie
Be the first to know and get our latest stories on Google News

Hackers want to know your customers, too

While the team has no confirmation that malicious actors accessed the exposed instance, threat actors constantly monitor the web for unprotected servers. In other words, if our team has found this, it’s likely that others have, too.

Needless to say, attackers crave government-issued IDs since having these significantly assists them in identity theft. Possessing users' KYC documents enables attackers to open bank accounts, apply for loans, or obtain credit cards, for example.

ADVERTISEMENT

Since attackers can steal user identity, the risk of financial fraud skyrockets as well. For one, cybercrooks could use the leak to gain unauthorized access to financial services.

“Cybercriminals can misuse the individual's identity to open fraudulent accounts, apply for loans or credit cards, and make unauthorized transactions,” the team said.

Since some services require ID verification when users want to restore their passwords, skilled attackers may also use leaked IDs and selfies to take over other user accounts. Researchers warn that this could enable attackers to gain full control of a person’s financial accounts, resulting in unauthorized transfers or altered account settings.

“In the context of Miio’s role as a telcobank serving a wide base of customers, such a leak would undermine trust in their ability to safeguard sensitive data, exposing their users to severe financial and personal risks,” the team said.

“Cybercriminals can misuse the individual's identity to open fraudulent accounts, apply for loans or credit cards, and make unauthorized transactions.”

Falling on deaf ears

The team believes the main reason behind the leak is misconfiguration. Such mistakes occur quite often, and in the end, company users are best able to judge whether they can tolerate such oversight.

However, the most disconcerting aspect of the Miio leak is that the bucket has now been open for at least over three months. Numerous attempts to reach the company have been met with silence.

Mexico’s CERT was also contacted about the issue. However, it did not acknowledge receiving our alert. We have reached out to Miio for official comment about the leak and will update the article once we receive a reply.

To prevent and avoid similar issues, the team suggests to:

ADVERTISEMENT
  • Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption to protect data at rest.
  • Implement SSL/TLS for data in transit to ensure secure communication.
  • Consider implementing security best practices including regular audits, automated security checks, and employee training.

  • Leak discovered: September 12th
  • Initial disclosure: October 2nd
  • CERT contacted: November 7th