Canadian fintech firm Duales, operator of the Duc money-transfer app, left an Amazon S3 server publicly accessible for nearly four years, exposing unencrypted passports, driver’s licenses, selfies, and transaction records of thousands of users. The breach, discovered by researcher Anurag Sen, revealed a continuous upload of sensitive documents since September 2020 - a flagrant disregard for basic data security.
Despite regulatory mandates requiring identity verification, fintech firms like Duc face minimal legal obligations to secure the data they collect. The company claimed the server was for testing, but offered no explanation for why live customer documents were stored there without encryption or access logs. Duc could not confirm whether unauthorized parties had accessed the data.
The incident mirrors a broader pattern: over 70% of fintech apps now demand government IDs, yet nearly one in ten cloud storage buckets used by small operators lack basic access controls. Similar breaches have occurred at TeaOnHer, Discord, and even U.S. government agencies.
Canada’s PIPEDA framework lacks the prescriptive security requirements and enforcement penalties seen in the EU’s GDPR or Australia’s updated Privacy Act. Until collecting identity data carries equal responsibility for securing it, such breaches will remain inevitable.