Security Breach at Online Gift Card Store Exposes the Identity Documents of 200,000 Individuals

• Approximately 600,000 government-issued identity documents and selfies were exposed after an American gift card vendor suffered a security breach.
• The data was left unprotected on a cloud storage server that a security researcher discovered.
• These images of sensitive details were part of the company’s know-your-customer compliance.

Online gift card retailer MyGiftCardSupply was found to have exposed customers’ government-issued IDs and selfies on an unsecured cloud storage server. The server contained over 600,000 passport and driver’s license images and selfies from approximately 200,000 individuals.

The company used this key data for identity verification as part of its “know your customer” (KYC) compliance efforts in adherence to U.S. anti-money laundering regulations.  

The breach was discovered by security researcher "JayeLTee,” who identified the exposed Microsoft Azure-hosted server late last year. The exposed server had no password protection, leaving it open for public access and posing a severe risk of identity theft and fraud. 

MyGiftCardSupply founder Sam Gastro confirmed the security lapse and stated, “The files are now secure, and we are doing a full audit of the KYC verification procedure.” Gastro also announced plans to delete identity verification files in the future. 

However, Gastro declined to disclose the duration of the exposure, elaborate plans for notifying affected customers, or explain for failing to address the researcher’s initial email report. The most recent file on the server was timestamped “December 31, 2024,” a day before the server was secured, indicating the system was actively in use at the time.

Separately, JayeLTee reported another significant KYC-related exposure affecting roommate finder service Roomster, whose storage system reportedly exposed 320,000 identity documents.

In recent news, a one-year-old data breach surfaced recently, as online jewelry retailer Glamira confirmed a significant data breach that has affected nearly 1 million accounts.