No password, no protection – Movistar security lapse leaves customers at risk

Last updated: 26 February 2025
Movistar data leak
Image by Cybernews

Movistar Costa Rica, a major telecommunications company, leaked hundreds of thousands of IDs, creating a potential goldmine for cybercriminals. However, the company states there is no evidence data was downloaded.

A Cybernews investigation unveiled a major leak of identification documents, work permits, and selfies used for know-your-customer (KYC) identification.

The files were stored on an unprotected Google Cloud Storage bucket that was discovered in early December 2024. The open instance was attributed to Movistar, a major telecoms player in Costa Rica. The company is the second-largest mobile operator in the country and provides mobile and television services.

ADVERTISEMENT

The exposed storage was missing a password, leaving nearly 650,000 files with extremely sensitive data openly accessible to anyone on the internet.

Movistar leaked documents

What Movistar data was leaked?

  • Passports
  • Driver's licenses
  • Voters IDs
  • National identification card
  • Work permits
  • Selfies used in KYC

Customers at risk of financial losses

The security blunder which exposed KYC documents, such as national IDs and KYC selfies, poses significant security threats to Movistar customers in Costa Rica.

Although no evidence exists that malicious actors accessed the exposed instance, threat actors continuously scan the web for unprotected servers. If the security researchers were able to find the leaked data, cybercriminals could likely have done the same.

Government-issued IDs are a treasured catch for attackers, since the leaked documents can help with stealing victims identity. Besides providing personal data, passport scans are a sought-after item on the dark web, especially if accompanied by a supporting identification document, such as a selfie.

ADVERTISEMENT

Selfies are increasingly used in KYC verification to confirm that the person submitting the documents is their legitimate owner. The standard process requires users to take a selfie while holding their identification document next to their face.

Movistar leaked documents

Some financial institutions or fintech platforms only require two pieces of identification to open a new account. Using a stolen passport scan together with a selfie that includes a document, scammers could set up fraudulent accounts.

Having a fake account set up in your name can cause a multitude of problems. For example, the fraudulent account could be used as a mule account to launder money from other illegal transactions.

Cybercriminals can also use stolen identities to submit fraudulent applications for loans and credit cards and gain unauthorized access to government services like tax returns or social security benefits.

“Attackers could use the exposed data to bypass security measures and gain unauthorized access to financial accounts or other personal services tied to Movistar customers and steal funds,” our research team said.

Ernestas Naprys vilius Gintaras Radauskas Paulina Okunyte
Don’t miss our latest stories on Google News
Google News Follow us

While the data was left open to anyone on the internet, it raises the question of Movistar’s ability to comply with local data protection regulations. Cybernews contacted the company, and the access to data has been secured.

The company confirmed that one of the third-party repositories allowed limited access to certain company records. In an emailed statement, a spokesperson stated that the security team secured the database from unauthorized access and implemented additional security measures.

The company has claimed that there is no evidence that information has been captured, downloaded, or misused.

ADVERTISEMENT

“We will continue to investigate this matter while assessing and monitoring the situation to ensure compliance with local regulations,” the company spokesperson said.

To prevent similar data leaks, Cybernews suggests:

  • Adjusting access controls to disable public access, ensuring only authorized users and services can interact with the bucket
  • Regularly audit bucket permissions to confirm that only necessary roles and accounts have access to sensitive data. Implement Identity and Access Management (IAM) roles to enforce the principle of least privilege
  • Enable and routinely review Cloud Storage access logs to detect unauthorized access or suspicious activity. Utilize Google Cloud Logging to identify unusual access patterns
  • Verify that server-side encryption is enabled to safeguard stored data. While Google Cloud Storage encrypts data at rest by default, ensure the settings are properly configured
  • Manage encryption keys securely with Google Cloud’s Key Management Service (KMS), restricting access to authorized users only
  • Enforce HTTPS for all communications to ensure data remains secure while being transmitted between clients and the storage service
  • Conduct regular security audits, automate compliance checks with Google Cloud Security Command Center, and provide ongoing security training for employees
  • Configure alerts via Google Cloud Security Center or Stackdriver Monitoring to detect unusual access attempts or modifications to critical configurations in real time
  • Leak discovered:December 2nd, 2024
  • Initial disclosure: December 9th, 2024
  • Closed: February 18th, 2025
Share
Post
Share
Share
Share
More from Cybernews
Can a dumbphone help you with excessive smartphone use?
Papua New Guinea shuts down Facebook, but that won’t stop users
Russian crypto exchange popular among ransomware gangs is reborn two weeks after its crackdown
Whistleblowers help Binance catch and suspend insider trader
Financing your fried chicken? Buy Now, Pay Later creeps into fast food
Massive OPSEC oversight: top-secret Yemen war plans sent to journalist on Signal
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked