Mexican fintech company Miio has exposed millions of files containing sensitive customer data
- 2.9 million files from fintech company Miio have been found online
- Investigators say the information has been unattended for months
- The company has not yet responded to the announcement
Cybersecurity researchers claim that financial technology company Miio, which provides mobile telecom and financial services to customers in Mexico, suffered a massive data breach, exposing up to three million Know Your Customer (KYC) files.
Findings from Cyber news say the files were reportedly unattended for at least several months and included files dating back to 2017, when the company was founded. This strongly suggests that all Miio customers are affected: 2.9 million scans of various KYC documents were found, including customer passports and IDs, driver’s licenses and photos.
There is no evidence yet that malicious actors have accessed the data, but as researchers have gained access to it, it is likely that others have done so as well. Government-issued credentials are incredibly valuable to attackers because they can facilitate identity theft and fraud.
Unconsciously or unwillingly
Researchers discovered the leak on September 12, 2024, and the first notification was sent on October 2. The storage bucket has been open for at least three months now. Investigators’ attempts to make contact were “met with silence.”
If the KYC documents fall into the wrong hands, attackers can open bank accounts, apply for loans or take out credit cards in the victim’s name.
With the types of identity documents being found and customer selfies for verification, researchers warn that this could allow hackers to take over existing customer accounts, so victims should be extremely vigilant in the coming months.
“In the context of Miio’s role as a telco bank serving a broad customer base, such a breach would undermine confidence in their ability to protect sensitive data, exposing their users to serious financial and personal risks,” the researchers said.