U.S. platforms MyGiftCardSupply & Roomster expose sensitive data. Unprotected KYC documents spark concerns over privacy and security flaws

Continue reading
In the latest series of data security incidents, two prominent online platforms—MyGiftCardSupply and Roomster—have come under scrutiny for exposing sensitive customer data, including government-issued identity documents, to the public internet. These incidents highlight the persistent vulnerabilities in online services and the dire consequences of inadequate data protection practices.
A security researcher known as JayeLTee discovered that MyGiftCardSupply, an online store for digital gift cards, was exposing hundreds of thousands of identity documents through an unsecured online storage server. This repository, hosted on Microsoft’s Azure cloud, contained over 600,000 images of government-issued IDs such as driver’s licenses and passports, alongside selfie photos of around 200,000 customers.
The company requires these documents as part of its compliance with U.S. anti-money laundering (AML) rules, commonly referred to as “know your customer” (KYC) checks.
Despite the critical nature of these documents, the server was not password-protected, leaving the data accessible to anyone on the internet. Such exposure could have led to identity theft, fraudulent activities, or misuse of personal information by malicious actors. The lack of basic security measures on such a sensitive repository underscores a significant lapse in safeguarding customer trust and privacy. JayeLTee reported the issue to MyGiftCardSupply late last year but received no response. Only after informing TechCrunch did MyGiftCardSupply founder Sam Gastro confirm the security lapse. Gastro stated, _“The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification.”_
However, Gastro did not clarify how long the data was exposed or whether affected individuals would be notified. The most recent exposed file was dated December 31, 2024, indicating that the server remained actively used until its closure. The incident raises questions about MyGiftCardSupply’s initial lack of response and its accountability in protecting sensitive customer data. Implementing earlier measures, such as routine security audits, real-time monitoring of server configurations, and automatic alerts for unauthorized access, could have prevented this exposure. Strengthening employee training on data protection protocols and establishing a clear incident response plan would also help mitigate such risks in the future.
Roomster, an online roommate and housing platform, also faced revelations of exposed data, including 320,000 government-issued IDs, through an unprotected server. This lapse is not the company’s first controversy. Roomster was previously ordered to pay $1.6 million following a Federal Trade Commission (FTC) complaint for defrauding renters with fake reviews and unverified listings.
In mid-November 2024, JayeLTee identified the server hosting millions of files, including personal identification documents, and reported the breach to Roomster’s listed contact email. With no response, the researcher escalated the matter to the New York State Attorney General’s (NYSAG) office. The exposed data remained accessible until late December 2024, suggesting a two-year window of vulnerability based on server logs dating back to mid-2022.
Roomster’s general counsel, Charles Brofman, later stated, _“We have no reason to believe that anyone has hacked the folder or that anyone has accessed the data and used it in any nefarious way.”_
While this assurance may aim to alleviate concerns, it falls short of addressing the broader public’s apprehension. Greater transparency regarding the investigation and potential risks could help rebuild trust and demonstrate a commitment to accountability. This statement contrasts with the critical importance of verifying such claims and ensuring robust data protection measures.
These incidents underscore the recurring risks associated with KYC verification processes. Industries such as banking and fintech, which also rely heavily on KYC, face similar challenges in balancing security with user experience. For example, while banks implement multi-factor authentication and encrypted data storage, they too have faced breaches, highlighting the universal need for stringent and proactive measures to protect sensitive customer data.
Despite their intent to prevent fraud and criminal activity, KYC checks—and the sensitive data they require—often become attractive targets for hackers. Last April, for example, a hacker exposed the World-Check database, a repository of high-risk individuals’ information used globally by financial institutions.
Moreover, the reliance on identity verification via selfies and documents raises concerns about user privacy and data retention practices. As seen in the cases of MyGiftCardSupply and Roomster, poor implementation and oversight exacerbate these risks.
Government agencies are stepping up enforcement to curb such negligence. The FTC, along with state attorneys general, successfully secured a consent order against Roomster, mandating transparency and stringent verification of its listings. The order includes monetary penalties and strict oversight of the company’s affiliate marketing practices.
Similarly, while MyGiftCardSupply’s founder claims corrective action, the lack of transparency in addressing customer impact calls for regulatory scrutiny. The absence of notifications to affected individuals further exemplifies a failure to uphold basic data breach response protocols.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been