Gift Card Store Data Breach: Identity Documents Exposed

Data Breach Exposes Customer Identity Documents at Online Gift Card Store

A U.S.-based online retailer specializing in gift cards experienced a significant security vulnerability. An online storage server belonging to the company was found to be publicly accessible, exposing a substantial number of customer identity documents to the open internet.

Discovery of the Exposed Server

The unsecured server was discovered late last year by a security researcher known as JayeLTee. The server contained sensitive information, including driving licenses, passports, and other forms of government-issued identification, all belonging to customers of MyGiftCardSupply.

MyGiftCardSupply requires customers to submit copies of their identification as part of its compliance with U.S. anti-money laundering regulations. These regulations, commonly referred to as “know your customer” (KYC) checks, are designed to prevent financial crimes.

Lack of Security Measures

Critically, the storage server lacked any password protection. This meant that anyone with an internet connection could potentially access the data it contained.

After failing to receive a response from MyGiftCardSupply regarding the exposed data, JayeLTee contacted TechCrunch to report the security lapse.

Company Response and Remediation

Upon being contacted by TechCrunch, MyGiftCardSupply founder Sam Gastro acknowledged the security issue. He stated that the files have now been secured and a comprehensive audit of the KYC verification process is underway.

Gastro indicated that the company will now delete identity verification files immediately after the verification process is completed.

Limited Transparency

However, Gastro did not disclose the duration of the data exposure. Furthermore, the company did not commit to notifying individuals whose information was compromised, nor did he explain the initial lack of response to the researcher’s warning.

Scale of the Data Exposure

According to JayeLTee, the exposed data, hosted on Microsoft’s Azure cloud platform, included over 600,000 images of both sides of identity documents. Approximately 200,000 customers also had accompanying selfie photos exposed.

The practice of requesting selfies with identification documents is common for KYC checks. It helps verify a customer’s identity and prevent fraudulent activity.

The most recent documents uploaded to the server were dated December 31, 2024, indicating the server was actively in use until it was secured the following day.

Recurring Issue with KYC Data

This incident is part of a growing trend of data breaches involving identity documents collected for KYC purposes. KYC checks remain a widely used method for customer verification.

Last April, a hacker claimed responsibility for stealing a large database called World-Check. This database is utilized by companies to assess customer risk and potential criminal involvement. The leaked data included sensitive information such as names, dates of birth, Social Security numbers, and bank account details.

Another Exposure at Roomster

JayeLTee also reported discovering another exposed cache of KYC documents, this time belonging to roommate finding site Roomster. This included around 320,000 passports and driver’s licenses.

The exact number of individuals affected by the Roomster security lapse remains unclear.

Roomster’s Response

Roomster CEO John Shriber did not respond to TechCrunch’s request for comment. However, a statement from the company’s general counsel, Charles Brofman, asserted that there is no evidence of unauthorized access or misuse of the data.

Roomster was previously ordered to pay $1.6 million in 2023 following a Federal Trade Commission complaint. The complaint alleged that the company defrauded users by posting unverified listings and fabricated reviews.

This article has been updated to include a statement from Roomster.