A US-based online gift card store, MyGiftCardSupply, has been found to have publicly exposed hundreds of thousands of customer government-issued identity documents, including driving licenses and passports, due to a security lapse on one of its online storage servers.

The security researcher, JayeLTee, discovered the exposed server late last year, which contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. The server, hosted on Microsoft's Azure cloud, had no password protection, allowing anyone on the internet to access the sensitive data.

MyGiftCardSupply requires customers to upload a copy of their identity documents as part of its compliance efforts with US anti-money laundering rules, often known as "know your customer" (KYC) checks. However, the company's failure to secure the storage server has raised concerns over its handling of sensitive customer data.

When alerted to the exposure, MyGiftCardSupply's founder, Sam Gastro, confirmed the security lapse and stated that the company is conducting a full audit of its KYC verification procedure. Gastro also promised to delete the files promptly after doing the identity verification going forward. However, the company did not commit to notifying affected individuals whose information was left public, nor did it disclose how long the data was exposed to the internet.

This incident is the latest in a series of data breaches and security lapses involving identity documents for KYC checks. Last April, a hacker claimed to have stolen a massive screening database called World-Check, which contained sensitive information such as names, dates of birth, passport and Social Security numbers, and bank account numbers.

JayeLTee also reported finding another cache of exposed KYC documents, including around 320,000 passports and driver's licenses, from roommate finding site Roomster. The incident highlights the ongoing risks associated with the collection and storage of sensitive customer data, particularly in the context of KYC checks.

The incident raises questions about the effectiveness of current KYC practices and the need for companies to prioritize the security and privacy of customer data. As the use of digital identity verification methods continues to grow, it is essential for companies to implement robust security measures to protect sensitive customer information.

In the wake of this incident, MyGiftCardSupply's customers are left wondering about the safety of their personal data and the company's commitment to protecting their privacy. The incident serves as a reminder of the importance of vigilance and accountability in the handling of sensitive customer information.