• 2.9 million files from fintech firm Miio have been found exposed online
  • Researchers say the information has been unguarded for months
  • The company is yet to respond to the disclosure notice

Cybersecurity researchers have claimed financial technology firm Miio, which offers mobile telecoms and financial services to customers in Mexico, has suffered a huge data leak, exposing up to three million Know Your Customer (KYC) files.

Findings from Cybernews say the files were reportedly unguarded for at least several months, and contained files dating back to 2017, when the company was started. This strongly suggests that all Miio customers were impacted, with 2.9 million scans of various KYC documents found, including passports and IDs, driver’s licenses, and customer pictures.

There’s no evidence yet that malicious actors accessed the data, but since researchers were able to access it, it's probable others have too. Government issued identifications are incredibly valuable to attackers, since they can facilitate identity theft and fraud.

Unaware or unwilling

The researchers discovered the leak on September 12, 2024, and initial disclosure notice was sent on October 2, and the storage bucket has now been open for at least three months. Researcher’s attempts to reach out have been ‘met with silence’.

If the KYC documents have fallen into the wrong hands, attackers could open bank accounts, apply for loans, or take out credit cards in the victim’s names.

With the type of ID documents found and the customer selfies for verification, researchers warn that this could enable hackers to take over existing customer accounts, so victims should be ultra-vigilant in the coming months.

“In the context of Miio’s role as a telcobank serving a wide base of customers, such a leak would undermine trust in their ability to safeguard sensitive data, exposing their users to severe financial and personal risks,” the researchers said.

You might also like



source https://www.techradar.com/pro/mexican-fintech-company-miio-exposed-millions-of-files-of-sensitive-customer-data