In the world of fintech, trust is the primary currency. However, the money-transfer service Duc App, owned by the Toronto-based company Duales, recently suffered a significant blow to its reputation. A massive security oversight left a treasure trove of sensitive customer documents—including passports and driver’s licenses—completely accessible to anyone with a web browser.
A Wide-Open Digital Vault
The exposure was discovered by Anurag Sen, a security researcher at CyPeace, who found an Amazon-hosted storage server that required no password for access. Because the data was stored without encryption, the contents were visible to anyone who happened upon the server’s web address.
The scale of the leak is staggering. The server contained more than 360,000 files, many of which were collected as part of mandatory “know your customer” (KYC) identity checks. The exposed data included:
- Government-issued IDs (passports and driver’s licenses)
- User-uploaded selfies used for identity verification
- Spreadsheets containing customer names and home addresses
- Detailed transaction logs dating back to September 2020
The “Staging Site” Defense
When alerted to the vulnerability, Duales CEO Henry Martinez González claimed the data was hosted on a “staging site” used for testing. However, he offered no explanation as to why live, sensitive customer information was being used in a testing environment or why it was left publicly accessible.
While the company has since secured the server, it remains unclear if Duales has the logging capabilities to determine how many unauthorized parties may have accessed or downloaded the data during the years it sat exposed.
A Growing Pattern of KYC Vulnerabilities
This incident is part of a troubling trend where platforms demand high-level identity verification but fail to implement basic security protocols. Duc App, which has over 100,000 downloads on the Google Play store, joins a list of recent high-profile failures. Last year, the app TeaOnHer exposed thousands of user documents, and Discord confirmed a breach affecting 70,000 government IDs.
Even major entities are not immune; misconfigured Amazon buckets have previously leaked data from corporate giants and even a U.S. spy agency.
The Office of the Privacy Commissioner of Canada has confirmed it is seeking more information from Duales to determine the next steps in holding the company accountable for this lapse.
