A cloud misconfiguration exposed passports driver licenses and user data from the Duc app revealing how weak storage controls can turn identity systems into public data leaks

Continue reading
A Canadian money-transfer application, Duc, operated by Duales, has been linked to a significant data exposure incident involving highly sensitive user information stored on infrastructure hosted by Amazon Web Services.
The exposure was not the result of a sophisticated cyberattack, zero-day vulnerability, or malware deployment. Instead, it stemmed from a misconfigured cloud storage environment that allowed unrestricted public access to files containing identity verification data and user records.
At scale, the implications are severe. The dataset reportedly contained:
This incident reflects a broader and increasingly common failure pattern in cloud-native applications, where access control misconfigurations and weak data governance practices convert internal systems into externally accessible data repositories.
The exposure was identified by security researcher Anurag Sen, who discovered that a cloud storage bucket associated with Duc was publicly accessible without authentication.
The persistence of the dataset suggests that this was not a transient misconfiguration, but rather a long-standing architectural oversight.
The exposed data was not limited to low-sensitivity information. Instead, it represented a complete identity verification pipeline, including both raw documents and structured metadata.
These included:
Such data is typically collected under KYC (Know Your Customer) compliance frameworks and is among the most sensitive categories of personal data.
The combination of document scans and selfies is particularly critical because it enables:
The dataset also contained:
This structured information, when correlated with identity documents, forms a complete user profile, significantly amplifying the risk of targeted fraud and financial exploitation.
From a technical standpoint, the exposure had several defining characteristics:
This effectively meant:
> Anyone with access to the endpoint could enumerate, access, and download sensitive data without restriction.
The incident is best understood as a compound failure across multiple layers of cloud security architecture.
The primary issue appears to be a cloud storage bucket configured with overly permissive access controls.
In environments like AWS, such exposure typically arises from:
These configurations can inadvertently allow:
The exposed files were reportedly stored in an unencrypted or weakly protected state, meaning:
Encryption at rest and in transit is considered a baseline requirement for identity data. Its absence indicates a failure in data classification and protection policies.
Duales indicated that the data resided in a staging environment, which introduces a deeper architectural concern.
Staging environments are typically:
However, storing real user data in staging systems without production-grade controls creates a critical vulnerability.
This suggests:
There is no clear indication that:
Without proper observability, organizations lose the ability to:
This transforms a data exposure into a visibility failure, where impact assessment becomes speculative.
Following disclosure:
However, several concerns remain:
Regulatory bodies, including Canada’s privacy authority, have initiated inquiries to assess compliance and determine further action.
This incident is part of a recurring pattern across modern digital platforms, particularly those handling identity verification.
Similar exposures have recently affected:
The common failure pattern includes:
The Duc exposure highlights systemic weaknesses in how modern applications are designed and operated.
Applications that collect:
must treat this data as high-risk assets, equivalent to financial credentials or cryptographic keys.
Failure to do so elevates:
Unlike traditional breaches:
The exposure occurred because:
> The system was configured to allow it.
This represents a shift from exploit-driven attacks to configuration-driven exposures.
Modern systems rely on:
When boundaries between:
are not clearly enforced, the system becomes inherently fragile.
This incident reinforces several critical security principles:
The Duc App exposure is not defined by complexity, but by simplicity.
In modern cloud environments, security failures are rarely dramatic. They are quiet, persistent, and often invisible until someone looks closely enough.
And when identity itself becomes the exposed asset, the consequences extend far beyond a single application.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been