Nearly 1M passports, driver's licenses exposed in data leak
What's the story
A security breach has exposed nearly a million personal identity documents, including passports and driver's licenses, on the public internet. The issue was flagged by security researcher Sammy Azdoufal, who discovered over 985,000 photo IDs accessible without any password or access control. The exposed data includes sensitive information like phone numbers and home addresses of individuals from different countries.
Security lapse
Data comes from cannabis clubs in Spain
The exposed data comes from cannabis clubs in Spain, which use a software by an Irish company called Cannabis Club Systems (CCS) for sales, accounting, and admissions. The software includes a verification system where receptionists upload IDs and selfies to Nefos's cloud. However, Azdoufal found that CCS's app had no meaningful security measures in place and discovered a secret key for the Stripe payments platform stored inside it in plain text.
Data breach
Exposed data includes preferences for cannabis strains
Azdoufal's automated tool revealed that the exposed data included not just photo IDs but also phone numbers, home addresses, passport numbers, and even preferences for cannabis strains. The researcher noted that celebrities were also part of this database. He discovered that clubs were uploading 5,000 new photo IDs daily through unsecured URLs like this.
Response
Nefos shuts down PuffPal system
In light of the security breach, Nefos has decided to shut down its entire PuffPal system and vulnerable APIs until they can be fixed. The company has also informed local authorities about the incident. "We have to communicate to everyone that was potentially exposed," said Andreas Nilsen, co-founder of Nefos. He confirmed that they are working with Ireland's Data Protection Authority (DPC) regarding the data breach.
Accountability
Incident to be verified by an independent security researcher
Nilsen said his company won't relaunch unsecured PuffPal if clubs ask for it. "We will make sure, after this debacle, that this is verified by an independent security researcher and guarantee that this is 100% secure," he added. He also admitted that under EU law, his company was legally required to disclose the breach within 72 hours or face hefty fines.