TL;DR: Security researcher Anurag Sen discovered on April 2, 2026 that the Duc App (a Toronto-based money transfer service with 100,000+ downloads) left over 360,000 unencrypted files on a publicly accessible Amazon S3 server. The files include passports, driver’s licenses, selfies taken for identity verification, customer names, home addresses, and years of transaction records, dating back to September 2020. No password. No encryption. Anyone with the web address could browse and download everything. The company’s CEO called it a “testing environment,” but couldn’t explain why real customer documents were on it. Canada’s Privacy Commissioner is investigating.
Five Years of Passports, Wide Open
Here’s what was sitting on an Amazon S3 bucket with no password, no encryption, and no access controls for nearly five years[1]:
- Government-issued passports: full pages with photos, names, dates of birth, passport numbers
- Driver’s licenses: front and back scans
- Selfies: the ones users were required to upload for “Know Your Customer” identity verification
- Customer names and home addresses
- Detailed transaction records: who sent money to whom, how much, and when, going back years
Over 360,000 files. All in plaintext. Anyone with a web browser who knew the URL (which TechCrunch described as “easy-to-guess”) could see everything[2].
New files were still being uploaded daily when the researcher found it. The system was actively collecting and exposing customer identity documents in real time.
How It Was Found
Anurag Sen, a security researcher at CyPeace, discovered the open server in early April 2026. He contacted TechCrunch to help identify and notify the data’s owner. TechCrunch’s Zack Whittaker reached out to Duales CEO Henry Martinez González, who secured the server on April 2 after the notification[1].
Martínez González called it a “testing environment” and a “staging site.” He did not explain why real customer passports and driver’s licenses were stored in a testing environment. He declined to confirm whether access logs existed, meaning the company may have no way to tell if anyone else downloaded 360,000 identity documents before the server was locked down[2][3].
The Duc App website briefly went offline after the disclosure[3].
The KYC Trap: Give Us Your Identity or You Can’t Use the App
This is the part that should make you angry.
Duc didn’t just happen to have your passport. They demanded it. The app requires government-issued photo ID and a matching selfie before you can send money. That’s standard “Know Your Customer” (KYC) compliance: anti-money-laundering regulations require money transfer services to verify your identity[4].
The deal is supposed to work like this: you hand over your most sensitive documents, and in exchange, the company protects them with the kind of security you’d expect for, say, a passport.
Instead, Duc stored them on a public server. Unencrypted. For five years.
This is the fundamental problem with mandatory identity collection. Governments and regulators force companies to collect your most sensitive documents. But there’s no equivalent mandate for how well those documents must be secured. The collection is required. The protection is optional.
A 2025 report found that misconfigurations across seven major cloud providers exposed 660,000 storage buckets and 200 billion files, along with 110,000 credentials[5]. Duc isn’t an outlier. It’s a symptom.
What 360,000 Stolen Identities Look Like
If anyone accessed that server before it was locked down (and without access logs, there’s no way to know) here’s what they got:
- Passport fraud: Full passport scans with photos, numbers, and biographic data. Enough to apply for credit, open bank accounts, or create counterfeit documents.
- Identity takeover: Matching selfies + government IDs = everything needed to pass most identity verification systems. The same KYC checks that Duc uses could be beaten with Duc’s own leaked documents.
- Financial surveillance: Years of transaction records showing exactly who sent money to whom, and when. For users sending money to Cuba (a key Duc market) that’s particularly sensitive.
- Physical targeting: Names + home addresses + financial activity = a complete targeting package.
And the users affected? People sending money internationally to family, often in countries with limited banking infrastructure. They used Duc because they had to. Now their passport data may be in the hands of anyone who guessed a URL.
Canada’s Privacy Commissioner Is “Seeking More Information”
The Office of the Privacy Commissioner of Canada confirmed it has “reached out to the company to obtain more information and determine next steps.”[1]
That’s the entire response so far. Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) requires organizations to protect personal information with security measures appropriate to the sensitivity of the data. Passports and government IDs sit at the very top of that sensitivity scale.
Under PIPEDA, organizations that experience a breach of security safeguards must report it to the Commissioner, notify affected individuals, and keep records of every breach for two years. Whether Duales met any of those obligations is unclear[6].
If this were the EU, Duc would be staring down a GDPR enforcement action. In Canada, PIPEDA’s enforcement tools are weaker: the Commissioner can investigate and make recommendations, but can’t directly impose fines. The government’s proposed Digital Charter Implementation Act would have added penalties of up to 5% of global revenue, but that bill died when Parliament was dissolved[6].
This Keeps Happening Because Nothing Changes
Duc joins a growing list of companies that demanded your most sensitive documents and then failed to protect them:
- In February 2026, Hims & Hers lost 2.5 million subscribers’ health data through a compromised Okta SSO integration.
- In January 2026, Navia Benefit Solutions exposed 2.7 million people’s SSNs and health records for 24 days.
- In March 2026, the European Commission lost 340GB of data through a compromised security scanner.
The pattern is always the same: collect maximum data, invest minimum security, apologize after the breach, repeat. Regulations demand the collection. Nobody enforces the protection.
What You Can Do
If you used the Duc App:
- Assume your identity documents are compromised. You uploaded a passport or driver’s license. It was on a public server for up to five years. Act accordingly.
- Place a fraud alert with all three credit bureaus (Equifax, TransUnion, Experian in the US; Equifax and TransUnion in Canada). It’s free and takes five minutes.
- Consider a credit freeze. This blocks new accounts from being opened in your name. You can temporarily lift it when you need to.
- Monitor for unauthorized accounts. Check your credit reports at annualcreditreport.com (US) or by contacting the bureaus directly (Canada).
- Watch for phishing. If criminals have your name, address, and transaction history, they can craft convincing targeted scams referencing real details of your life.
- File a complaint with Canada’s Office of the Privacy Commissioner if you’re a Canadian resident.
For everyone else:
- Before uploading identity documents to any app, search “[app name] data breach” and check their security track record.
- Ask what the company does with your documents after verification. Do they delete them? Store them? For how long?
- If a service requires your passport and you can use an alternative that doesn’t, switch.
Sources
- TechCrunch: Money transfer app Duc exposed thousands of driver’s licenses and passports to the open web (April 2, 2026)
- Silicon Canals: A fintech app asked users for their passports, then left 360,000 files unprotected for five years (April 2026)
- TechNadu: Duales Duc App data left unprotected due to unencrypted server (April 2026)
- TechRadar: Top money transfer site Duc leaks user passport and driving license data info online (April 2026)
- CoreStream GRC: 2026 Data Breach Trends and Insights (2026)
- Office of the Privacy Commissioner of Canada: PIPEDA Overview
Published: April 5, 2026