Over 360,000 files containing passports, driver's licenses, selfies, and transaction records sat wide open on an Amazon-hosted server, accessible to anyone who knew—or could guess—the web address. No password required. No encryption to slow anyone down. Just a direct line to the sensitive financial identity data of what appears to be hundreds of thousands of customers of the Duc App, a money-transfer service operated by Toronto-based fintech company Duales.
The exposure was discovered by CyPeace security researcher Anurag Sen, who flagged it to TechCrunch after failing to reach the company directly. TechCrunch then alerted Duales CEO Henry Martinez González, after which the files were made inaccessible—though notably, a directory listing of the server's contents reportedly remains visible.
What Was Actually Exposed
The scope here matters. This wasn't a minor technical hiccup involving a handful of test accounts. The exposed Amazon S3 bucket contained files dating back to September 2020 and was receiving fresh uploads daily at the time of discovery. Folders contained tens of thousands of user-uploaded images—government-issued identity documents gathered through the app's "know your customer" (KYC) verification process, alongside selfies submitted to prove liveness. Spreadsheets in the same bucket listed customer names, home addresses, and detailed transaction records including dates, times, and amounts.
The Duc App markets itself as a cross-border money transfer platform, with a particular focus on remittances to Cuba. Its Google Play listing shows over 100,000 downloads. That figure puts some rough scale on the potential exposure, though TechCrunch could not independently verify the precise number of individuals affected.
The CEO's Response Raises More Questions Than It Answers
Martinez González's reply to TechCrunch deserves scrutiny. He characterized the exposed server as a "staging site"—developer terminology for a test environment used before pushing code to production—without explaining why real customer data, including live identity documents, was stored there. "All protections are in place," he said, a statement that is difficult to reconcile with a publicly accessible, unencrypted bucket that had apparently been that way for years.
When asked whether the company had logs to determine who had accessed the data—and for how long—he declined to answer. That's a significant gap. Without access logs, Duales cannot tell regulators, or affected customers, whether bad actors downloaded the data before the bucket was locked down. Canada's Office of the Privacy Commissioner has since reached out to the company seeking more information, and the company's website briefly displayed a "bad gateway" error following TechCrunch's inquiries.
Why Misconfigured Cloud Storage Keeps Happening
Amazon Web Services made headlines years ago for a wave of S3 bucket misconfigurations that exposed data from companies ranging from Facebook to Samsung to a U.S. intelligence contractor. In response, AWS introduced default-private settings and added warnings when users attempt to make buckets public. Those safeguards have made accidental exposure harder—but clearly not impossible.
The persistence of these incidents points to a gap that is less technical than organizational. Developers working in staging environments frequently work with real user data because synthetic test data doesn't adequately replicate production conditions. Without strict data governance policies—rules that prohibit or tightly control the use of real personal data outside secure production systems—staging environments become quiet liability traps. The irony is that staging environments are often subject to less rigorous security review precisely because they're not considered "real" infrastructure. Duales appears to have fallen into exactly this trap.
The unencrypted storage compounds the problem. Encrypting data at rest doesn't prevent a misconfigured bucket from being publicly accessible, but it adds a meaningful barrier: an attacker who downloads encrypted files still needs a decryption key to read them. Storing identity documents unencrypted removes that last line of defense entirely.
The KYC Paradox Putting Users at Risk
There's a structural tension at the heart of this incident that deserves attention beyond Duales specifically. Financial services regulations—and increasingly, age verification laws for online platforms—are pushing apps to collect more identity documentation than ever before. KYC requirements, designed to prevent money laundering and fraud, are a legal mandate for money-transfer services. Apps cannot simply opt out of collecting passports and driver's licenses; regulators require it.
But the regulatory frameworks compelling this data collection have not kept pace with standards for securing it. Users uploading a government ID to unlock a financial service have no meaningful way to evaluate whether that company has adequate security controls. They're trusting an app with information that, in the wrong hands, enables identity theft, account fraud, and financial harm—often without any visibility into how that data is stored or protected.
The pattern is becoming impossible to ignore. TeaOnHer exposed thousands of users' passports and driver's licenses last year. Discord confirmed a breach of roughly 70,000 government-issued documents uploaded during its age-verification rollout. Now Duc App. Each incident involves the same sequence: regulatory or product pressure drives data collection, security practices don't match the sensitivity of what's being gathered, and researchers or journalists surface the exposure before—or instead of—internal security teams.
What Affected Users Should Do Now
If you've used the Duc App and completed identity verification at any point since September 2020, you should operate on the assumption that your documents may have been accessed by unauthorized parties. The practical steps are the same as with any serious identity document exposure.
Contact your country's passport authority and driver's licensing body to flag your documents as potentially compromised. In Canada, this means reaching out to Passport Canada and your provincial licensing authority. Monitor your credit reports for any unusual activity—both Equifax and TransUnion offer free monitoring in Canada—and consider placing a fraud alert on your credit file. If you used the same address listed in your transaction records for other financial accounts, alert those institutions as well. Because the exposed data included transaction histories alongside identity documents, the combination is particularly useful for social engineering and account takeover attacks.
Duales said it is "notifying the appropriate parties," but given the company's apparent uncertainty about who accessed the data, affected users shouldn't wait for that notification to act.
The Regulatory Pressure Building Behind the Scenes
Canada's privacy regulator entering the picture is the development most likely to have long-term consequences for Duales. The Office of the Privacy Commissioner operates under PIPEDA—Canada's federal private-sector privacy law—which requires organizations to implement security safeguards appropriate to the sensitivity of the data they hold. Government-issued identity documents and financial transaction records sit at the top of the sensitivity spectrum.
The regulator's involvement also signals that this incident won't simply fade once the bucket is locked. Investigations can take months and result in findings that compel remediation, public reporting, and in some cases referrals to other authorities. For a company with 100,000-plus app downloads and an apparent gap between its security posture and the sensitivity of what it holds, that scrutiny arrives at a precarious moment.
The broader pressure building across the fintech sector is toward mandatory security standards for identity data—not just best-practice guidance, but enforceable requirements with teeth. The accumulation of incidents like this one is exactly the kind of evidence that regulators cite when making the case for stricter rules. Duales may not be the company that changes the regulatory calculus, but it's contributing to the pile.