Exposed Amazon Server Left Customer Data Accessible Without a Password

Driver's licenses. Passports. Unencrypted, no password, accessible to anyone with a web browser. That was the condition of a cloud storage server belonging to Duales, the Toronto-based fintech company behind the Duc App money-transfer service, until the company locked it down after being alerted to the exposure.

The publicly accessible Amazon-hosted server was listing its contents openly on the internet, making potentially hundreds of thousands of users' identity documents and personal information available in full to anyone who found it. Because the files were stored unencrypted, there was no secondary barrier: a direct link to any document was enough to view it completely.

Identity documents of this kind sit at the top of the fraud risk pyramid. A government-issued photo ID paired with a name and address is sufficient to open bank accounts, apply for credit, or construct a synthetic identity by layering real credentials onto a fabricated profile. For a money-transfer app that requires customers to submit identity verification as part of its know-your-customer onboarding, the exposure covers precisely the documents that financial criminals most want.

Duales said it resolved the exposure after being alerted by a reporter, but has not disclosed how long the server was publicly accessible, whether server access logs were preserved, or whether any unauthorized party downloaded files before the window closed. Those details matter considerably: the absence of a known bad actor does not mean the data was not accessed, and without log evidence, the company cannot credibly rule out prior access.

Canada's privacy regulator, the Office of the Privacy Commissioner, confirmed it had been notified. "The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps," a spokesperson said by email, declining to elaborate on whether a formal investigation had been opened. Under Canada's Personal Information Protection and Electronic Documents Act, companies are obligated to notify regulators and affected individuals of breaches that pose a real risk of significant harm, a threshold that exposed passport scans and driver's licenses would almost certainly meet.

Anyone who submitted identity documents to Duc App as part of account verification should act immediately. Place a fraud alert or credit freeze with Equifax, TransUnion, and Experian to block new account openings in your name. Contact your provincial or state motor vehicle authority to flag your driver's license number as potentially compromised; most jurisdictions allow affected individuals to request a replacement license with a new number. If your passport number was submitted, report the potential exposure to Immigration, Refugees and Citizenship Canada and monitor your travel document history through the federal government's secure portal. Review financial account activity for unfamiliar transactions or new accounts you did not open.

Amazon has added automated security checks to its cloud storage platform in recent years specifically to prevent misconfigured servers from sitting publicly open, following a wave of high-profile exposures that included U.S. government data. That Duales managed to leave a server publicly accessible despite those guardrails points to a deliberate or deeply negligent configuration choice, one the company has yet to explain.