53 comments

[ 2.7 ms ] story [ 67.3 ms ] thread
I am sure even my passport would be part of the breach, are the passport holders beign notified of the breach?
Oh god that’s pretty bad

> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.

I cannot imagine the level of fines under GDPR for leaking that much PII

Show me the consequences. I hear there are supposed to be repercussions, but these asshats never seem to pay for their crimes.
Why can't verification simply be go to post office, clerk will affadavit that you presented correct ID via online form. Which could also do the photo lookup for good measure.

Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).

The analogy is a nightclub bouncer checks your ID.

That's good, just grab one of those whenever your need to prove your age online /s
For liveness i suppose you need a good graphics card.

So dystopian

> a good graphics card

Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.

Not even needed many times, I was recently at an overseas airport that wanted you to scan your passport to log into the internet. Ya not happening. On another device I downloaded a "sample" passport image of a British passport, the first one on Google images, pointed the phone at the device screen. "This will never work" , he thought as he was immediately logged in. All this stuff really hurts the people who follow the rules the most.
The lack of security is one thing, but why have they retained the information at all!

iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).

Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.

It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.

  > Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
Might KYC laws and general CYA policies prefer to keep the proof of age? For instance to protect e.g. against a minor altering the date on their passport. Especially in such a regulated industry.
Damn, we even got passport leaks before GTA 6.
> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.

Why do these systems hold onto user's data post verification?

Do the laws that mandate identity verification set security standards that the websites which collect and verify the data must meet?
Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.

How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.

> people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in.

This. I hate it. People expect you to send your documents on messaging apps and god only knows where they end up. Unfortunately, I fear there's nothing we can do to stop this as govs enforce this kind of operations.

It's far worse than that. In a lot of cases when you pay on booking.com, they don't charge your card. Instead, they send all your information (including CVV) along to the hotel where they can charge you how they want. A hotel I visited in Austria, had my card details printed out on a piece of A4 paper.
that shoebox would prob be thrown or burnt at some point tho, rather than being accessed by savvy hackers from across the globe.
> Zero password protection on document storage systems > > No encryption for sensitive identity verification data > > Public URL access with no authentication requirements > > No access logging or monitoring systems in place

Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.

So much of our information is being leaked nowadays that news like these don’t surprise me anymore…

I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.

Any sort of convenience to access said data, is a possible surface of attack.

> No hacking was required—documents were accessible through direct URLs with zero authentication or encryption.

You would be surprised what some courts already count as hacking

Remember that there is no such thing as identity theft. There is just fraud. You weren't involved at all.
> PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe.

At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…

I'm aware of another batch of leaked passports, from a few years ago.

A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.

He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.

A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.

All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.

The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.

The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.

i could swear i have read that same story here before but can't find it
The cannabis link makes it much worse as you have a bit of information about the person in addition to the passport which is a perfect ID.
Well this should keep the transfer stations going for a bit longer.
Don't forget to send your congress person a reminder about what their vote for age verificiation systems does.

Find your rep at congress.gov. Email or mail them this article.

[stub for offtopicness]
In EU, eIDAS 2.0 will fix all of these issues and future leaks alltogether.

Check authbound.io

Ironic, using the domain of the British Indian Ocean Territory instead of a .eu domain
Back when S3 buckets were rarely protected, I found hundreds of passports of people operating in the diamond business here in Antwerp.

In another one I found all passports that had been scanned by a hostel in Bangkok.

Ahh so that's what they mean at the reception when they take photo of my ID and say "it's for the police". So that any police anywhere can freely download it at any time!
I have a real problem with the pretense posed by the article that the club has no blame. They should have understood the risk they were taking on by subcontracting a vendor to collect passports, and better vetted that vendor. Obviously the service provider was completely inept, but that doesn't absolve the fools using them.

I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.

Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.

This is a side-effect of the SaaS era, and the model is broken.

Processing such PII here with an external AI partner:

- last week, we had bug: I said: "couldnt you just re-run the same step with the same data again" - their answer: "we cant! look at paragraph XY in our GDPR agreement, we are deleting all input documents everything after it has been processed"

Very well implemented! :)

(though, I had to upload and re-initiate eveything again)

> I preach to my clients this sort of PII should be treated as a toxic, hazardous substance

I've heard this phrasing a lot, but it's hard to believe when there are no consequences after a leak.

> the pretense posed by the article that the club has no blame.

Remember that these clubs are mostly small, local businesses. Their owners just don't have the technical sophistication to evaluate software security. Or the clout to demand an audit.

> This should be a wakeup call for data security.

Hah, author is funny.