Security Operations, Data Security, Application security

Duc App exposes hundreds of thousands of personal records due to server misconfiguration

(Adobe Stock)

As reported by TechCrunch, a significant data exposure incident has come to light involving the Duc App, a money-transfer service owned by Duales. The company's publicly accessible Amazon-hosted storage server, left without password protection, exposed sensitive personal data of potentially hundreds of thousands of users.

The exposed data included unencrypted driver's licenses, passports, and other identity verification documents, along with selfies and personal information such as names and home addresses. Security researcher Anurag Sen discovered the lapse and alerted TechCrunch, noting that the server's contents were easily accessible via a web browser.

The data, dating back to September 2020, was uploaded daily. Duales, which facilitates international money transfers, stated the data was on a "staging site" but did not explain the public accessibility. The company claimed to have resolved the exposure after being notified, though a list of server contents remained visible.

Source: TechCrunch

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds