Duc Money Transfer App Exposes Thousands of Driver’s Licenses and Passports in Major Security Failure

A significant security failure at a Canadian fintech company has put the personal data of potentially hundreds of thousands of people at risk. The Duc App, a money-transfer service, left a cloud storage server containing sensitive user documents openly accessible to anyone on the internet without a password. This incident highlights a persistent and dangerous trend in digital finance.

How the Duc App Data Breach Happened

Security researcher Anurag Sen discovered the exposed server earlier this week. The server, hosted on Amazon Web Services, was configured to publicly list its contents. Consequently, anyone with a web browser could view and download the files simply by knowing its web address. The data was stored without encryption, removing any final barrier to accessing the full contents of the files.

According to Sen’s analysis, the server contained over 360,000 files. These were not just random documents; they were the core identity verification materials submitted by users. This means the breach involved driver’s licenses, passports, and user-uploaded selfies—the very documents used to prove “who you are” in the digital world.

The Scope of the Exposed Information

Building on this, the exposure was not limited to static images. The server also held spreadsheets with detailed customer records. These files listed names, home addresses, and the specific dates, times, and details of financial transactions. The files dated back to September 2020 and were being updated daily, indicating a live, ongoing leak of personal and financial data.

Company Response and Lingering Questions

When contacted by TechCrunch, Duales CEO Henry Martinez González stated the data was on a “staging site” used for testing. However, he did not explain why real, sensitive customer information was present on a test server or why that server was publicly accessible. His claim that “all protections are in place” stands in stark contrast to the reality of the open server.

After the notification, the company made the files inaccessible. Nevertheless, a critical question remains unanswered: Martinez González would not confirm if the company has logs to determine who accessed the data or how many times it was downloaded. This lack of visibility means affected users may never know if their data was copied by malicious actors.

A Recurring Problem in Digital Verification

This Duc App data breach is not an isolated event. It fits a worrying pattern where companies aggressively collect sensitive identity documents but fail to implement corresponding security measures. Apps and websites increasingly demand passports and driver’s licenses for “Know Your Customer” (KYC) checks, yet the custodianship of this data is often shockingly weak.

For instance, last year, the social app TeaOnHer exposed thousands of similar documents required for user verification. In another case, Discord confirmed a breach affecting about 70,000 government IDs uploaded for age verification. Each incident erodes user trust and demonstrates a systemic failure to prioritize data security from the outset.

Therefore, the core issue extends beyond a single misconfigured server. It points to a flawed approach where data collection is prioritized over data protection. Companies treat sensitive ID documents as just another file type, storing them in standard cloud buckets without the stringent, additional safeguards they inherently require.

Regulatory Scrutiny and User Fallout

In response to this incident, the Office of the Privacy Commissioner of Canada has initiated contact with Duales. The regulator is seeking more information to determine its next steps, which could include an investigation and potential penalties. This regulatory attention is becoming more common as the frequency and severity of such breaches increase.

For users of the Duc App, the implications are severe. Exposure of a driver’s license or passport number creates a high risk of identity theft and fraud. These documents are difficult to change and are master keys to a person’s identity. Combined with exposed home addresses and transaction histories, the potential for targeted phishing attacks or financial fraud is significantly heightened.

As a result, affected individuals must remain vigilant. They should monitor their financial accounts for unusual activity, be wary of sophisticated phishing attempts referencing their Duc App transactions, and consider placing fraud alerts with credit bureaus. For more guidance on protecting yourself after a data breach, read our guide on post-breach security steps.

Preventing the Next Cloud Storage Catastrophe

So, what can be done to stop this cycle? First, companies must adopt a “security by design” philosophy. Sensitive data like government IDs should be encrypted at rest and in transit by default. Access should be governed by strict, role-based permissions, not left open to the public internet. Regular security audits and penetration testing are non-negotiable for any service handling financial or identity data.

Furthermore, the use of production data on staging or test servers should be strictly prohibited. These environments are inherently less secure and are frequent targets for attacks. Instead, anonymized or synthetic data should be used for all testing and development purposes. Learn more about secure development practices in our article on building secure fintech applications.

Ultimately, the Duc App data breach serves as another stark reminder. In the rush to build and launch digital services, fundamental security practices are too often an afterthought. Until companies are held fully accountable for the data they collect—both legally and in the court of public opinion—these preventable exposures will continue to put millions of people at risk.

Hims & Hers Confirms Third-Party Customer Support System Breach

The digital healthcare landscape faces another security challenge. Hims & Hers, a prominent telehealth provider, has officially confirmed a data breach impacting its external customer service platform. This incident highlights the persistent vulnerabilities within third-party systems that handle sensitive user information.

According to a filing with the California attorney general’s office, unauthorized actors infiltrated the company’s third-party ticketing system over a four-day period in early February. Consequently, they exfiltrated a significant volume of support tickets submitted by customers. While the company states medical records were not accessed, the nature of support communications often contains a wealth of personal and account-specific details.

Scope and Nature of the Hims & Hers Data Breach

Building on this, the precise number of affected individuals remains undisclosed. California law mandates public disclosure for breaches involving 500 or more state residents, indicating the scale is likely substantial. The company’s notice confirms that stolen data included customer names and contact information. However, other categories of personal data were redacted in the public filing, leaving questions about the full extent of the exposure.

A company spokesperson attributed the incident to a social engineering attack. In such schemes, hackers manipulate employees into granting system access, bypassing technical safeguards. This method underscores that human factors remain a critical weak link in cybersecurity defenses, even for established companies.

What Information Was Compromised?

While Hims & Hers emphasizes that the data “primarily” included names and email addresses, the context is crucial. Support tickets for a telehealth service can contain sensitive inquiries related to medications, treatments, and personal health circumstances. Therefore, even without formal medical records, the breached data could paint a detailed and private picture of an individual’s health journey.

The Rising Threat to Customer Support Platforms

This incident is not isolated. In recent months, customer support and ticketing systems have become prime targets for financially motivated cybercriminals. These platforms are treasure troves of personal data, which can be used for identity theft, phishing campaigns, or extortion. For instance, a similar breach at Discord last year led to the exposure of government-issued IDs for tens of thousands of users.

The pattern is clear: attackers are shifting focus to the soft underbelly of corporate operations—the vendors and platforms managing customer interactions. This trend demands a reevaluation of how companies secure their entire digital ecosystem, not just their core applications.

Response and Ongoing Implications

As a result of the breach, affected customers should be on high alert for phishing attempts. Fraudsters often use stolen names and email addresses to craft convincing, targeted messages. Hims & Hers has not disclosed whether the hackers made any ransom demands, a common tactic following such intrusions.

For consumers, this event serves as a stark reminder. When sharing information with any service, it’s vital to consider where that data flows and who else might have access. The security of a company is only as strong as its weakest vendor. For more insights on protecting your digital health information, explore our guide on healthcare data privacy.

Ultimately, the Hims & Hers data breach exposes a critical vulnerability in modern business infrastructure. It reinforces the need for robust vendor risk management and continuous employee security training. As the telehealth sector grows, so too must its commitment to safeguarding the trust placed in it by patients. Companies must implement stringent access controls and multi-factor authentication, especially for systems handling sensitive data. Learn more about effective security protocols in our article on preventing social engineering attacks.

Critical Infrastructure Under Siege: The Multi-Million Pound Price of OT Downtime

For the guardians of the UK’s essential services, a cyber-attack is no longer just a data breach. It’s a direct assault on the physical world, with a staggering financial toll. A new study reveals a harsh reality: the vast majority of critical national infrastructure (CNI) providers are staring down potential OT downtime costs ranging from £100,000 to a crippling £5 million per incident.

The Staggering Financial Impact of OT Disruption

This means that for four out of five organisations in sectors like energy, transport, and manufacturing, a successful attack on their operational technology is a multi-million pound event. Building on this, the data shows the severity is not uniform. Alarmingly, nearly a quarter of all OT downtime incidents result in losses exceeding £1 million. For 6% of victims, the bill surpasses £5 million. This financial devastation explains why fear is a dominant emotion in security teams today.

Why Nation-State Fears Are Skyrocketing

Consequently, nearly two-thirds of cybersecurity leaders now cite nation-state attacks as their primary concern. This fear reflects a fundamental shift in the cyber threat landscape. “The objective has evolved,” explains Rob Demain, CEO of e2e-assure, the firm behind the research. “It’s not solely about stealing data for profit. Adversaries are now weaponising attacks to cripple operations and exert strategic pressure on the services society depends on.”

In essence, the impact in OT environments is immediate and tangible. Unlike IT systems that manage data, industrial systems control physical processes. A breach can halt production lines, disrupt power grids, or—most critically—compromise safety mechanisms. Therefore, the cost is measured not just in currency, but in real-world paralysis.

Geopolitical Tensions Amplify the Cyber Threat

Meanwhile, global instability is pouring fuel on this fire. Recent geopolitical events, such as tensions involving Iran, have heightened alert levels. While Iranian cyber capabilities may not match the scale of Russia or China, their intent and proven ability to hijack CNI networks are undeniable. In fact, intelligence agencies have warned of sustained campaigns where Iranian actors used techniques like password spraying to infiltrate critical sectors.

A UK parliamentary committee has previously stated that it is “unlikely” all domestic entities can detect or fend off such Iranian offensive cyber activity. This admission underscores a pervasive vulnerability. As a result, the threat is not hypothetical; it is a clear and present danger with a direct line to operational disruption.

The Visibility Gap: A Critical Weakness in OT Security

Despite the high stakes, a dangerous complacency exists. Over two-fifths of organisations admit they are “least concerned” about having visibility into their own OT network activity. This blind spot is a gift to attackers. Nation-states often breach IT systems via phishing or stolen credentials before pivoting silently into the more valuable OT environment. Without clear visibility, detecting this lateral movement is nearly impossible, hindering any effective response.

The data confirms this operational failing. Although some firms claim they can detect a breach within hours, a troubling 10% of large enterprises take over a year to fully remediate an incident. This prolonged exposure window allows attackers to embed themselves deeply, increasing the potential for catastrophic OT downtime costs.

The Expanding Attack Surface: Third-Party Risk

Furthermore, the risk extends far beyond an organisation’s own digital walls. Supply chain compromise has emerged as a major vector. Last year alone, 21% of mid-sized CNI organisations reported four or more security incidents linked to suppliers or third parties. This interconnectedness means a vulnerability in a small software vendor or service provider can become a backdoor into the nation’s most critical systems. For more on managing these complex risks, see our guide on third-party security frameworks.

Beyond Downtime: The Ripple Effects of an Attack

Ultimately, the consequences of an OT breach ripple far beyond immediate operational stoppages. For security leaders, reputational damage and loss of brand trust are top concerns, cited by 25% and 20% respectively. In smaller organisations, the impact is felt internally, with 37% highlighting staff turnover as a major issue following a severe incident. The trauma of a major attack can drive away skilled personnel, creating a secondary crisis.

This collective picture demands a paradigm shift. Protecting operational technology is no longer a niche IT concern; it is a core business continuity and national security imperative. Investing in specialised OT visibility, segmentation, and incident response is not an optional cost but a critical investment to avoid those multi-million pound OT downtime costs. To start building a more resilient posture, explore our resource on developing an OT security program.

In summary, the message from the front lines is clear. The UK’s critical infrastructure is in the crosshairs, and the price of failure is measured in millions and societal disruption. The time for enhanced vigilance and investment is now.