- 2.9 million files from fintech company Miio discovered online
- Researchers say information hasn’t been protected for months
- The company has not yet responded to the disclosure notice
Cybersecurity researchers have claimed that financial technology company Miio, which offers mobile telecommunications and financial services to its customers in Mexico, suffered a massive data breach, exposing up to three million Know Your Customer (KYC) files. ).
Cybernews’ findings indicate that the files were not kept for at least several months and contained files dating back to 2017, when the company was founded. This strongly suggests that all Miio customers were affected, with 2.9 million scans of various KYC documents found, including passports and IDs, driving licenses and customer photos.
There is no evidence yet that malicious actors accessed the data, but since the researchers were able to access it, it is likely that others did too. Government-issued IDs are extremely valuable to attackers because they can facilitate identity theft and fraud.
Unaware or unwilling
Researchers discovered the leak on September 12, 2024, and a first disclosure notice was sent on October 2. The storage bucket has now been open for at least three months. Attempts by researchers to reach out were “met with silence.”
If KYC documents fall into the wrong hands, attackers could open bank accounts, apply for loans or withdraw credit cards in the victim’s name.
With the type of ID documents found and customer selfies to be verified, researchers warn this could allow hackers to take over existing customer accounts. Victims should therefore be ultra-vigilant in the coming months.
“In the context of Miio’s role as a telecommunications bank serving a broad customer base, such a leak would undermine confidence in their ability to protect sensitive data, exposing their users to serious financial and personal risks” , the researchers said.
