A Canadian money transfer app left thousands of sensitive identity documents exposed on the open internet, allowing anyone to access driver’s licenses, passports, and customer data without a password. Duc, a fintech startup serving immigrant communities, misconfigured an Amazon-hosted server that sat unprotected for an unknown period before security researchers discovered the breach. The incident marks another high-profile AWS misconfiguration case, raising urgent questions about cloud security practices in the fintech sector.
Duc, a money transfer app popular among Canadian immigrant communities, just became the latest fintech to fumble basic cloud security. The company left an Amazon Web Services server completely exposed, allowing anyone with internet access to browse through thousands of customer identity documents, including driver’s licenses and passports.
The breach was discovered by security researchers and reported exclusively by TechCrunch. Unlike sophisticated hacking operations, this leak required zero technical skill – the server sat wide open without even basic password protection. Anyone who stumbled across it could download sensitive personal information at will.
What makes this particularly alarming is the nature of the exposed data. Identity documents like driver’s licenses and passports are prime targets for fraudsters, enabling everything from account takeovers to synthetic identity fraud. For Duc’s customers, many of whom use the service to send money internationally to family members, the stakes are exceptionally high.
The company hasn’t disclosed how long the server remained exposed or how many individuals were affected. That timeline matters enormously – every day the data sat unprotected increased the odds that malicious actors discovered and exploited it. Security experts typically assume that exposed databases are found by bad actors within hours or days of becoming accessible.
This isn’t just a Duc problem. It’s the latest in a troubling pattern of fintech companies mishandling customer data stored on . While AWS provides robust security tools, the responsibility for properly configuring those protections falls squarely on the customer. Companies must explicitly set access controls, enable encryption, and audit their security settings regularly.
