CITIZENS NEWS

Gift card company’s cybersecurity failures expose millions of customers’ sensitive data

By isabelle // 2025-01-06

• MyGiftCardSupply exposed sensitive customer data, including government IDs and photos, due to an unsecured cloud server.
• The incident affected 200,000 customers, leaving them vulnerable to identity theft and fraud.
• The company has not publicly acknowledged the problem or committed to notifying affected customers.
• This incident highlights a pattern of negligence in handling KYC-related data across multiple companies.

In yet another alarming example of poor cybersecurity practices, MyGiftCardSupply, a popular online gift card retailer, has left sensitive customer data exposed as part of its Know Your Customer (KYC) verification process. The incident, discovered by a vigilant security researcher, highlights the growing risks associated with lax data protection measures in the digital age. Shockingly, the company has yet to commit to informing affected customers, leaving thousands of individuals vulnerable to identity theft and fraud. The exposed data included highly sensitive information such as government-issued IDs, photos of customers, and other personal documents submitted by customers to verify their identities. These documents are typically required under KYC regulations, which are designed to prevent fraud and money laundering. However, in this case, the very process meant to protect customers became the source of their vulnerability. The security researcher who uncovered the breach found that MyGiftCardSupply had stored customer data on an unsecured cloud server, accessible to anyone with the right link. This type of misconfiguration is a common yet entirely preventable cybersecurity failure. The researcher noted that the exposed data was not encrypted, meaning that anyone who stumbled upon the server could easily view and download the sensitive information. The breach affected an estimated 200,000 customers, whose personal data was left exposed for an unknown period. While the exact duration of the exposure remains unclear, the potential for misuse is significant. Cybercriminals could exploit this data to commit identity theft, open fraudulent accounts, or even sell the information on the dark web.

A pattern of negligence

What makes this incident particularly troubling is MyGiftCardSupply’s apparent lack of urgency in addressing the issue. Despite being notified of the breach, the company has not publicly acknowledged the incident or committed to informing affected customers. This lack of transparency is not only irresponsible but also undermines trust in the company’s ability to safeguard customer data. This is not an isolated incident. In recent years, several companies have faced scrutiny for mishandling sensitive customer data during KYC processes. For example, Roomster, a roommate-finding platform, was recently criticized for failing to secure user-submitted identity documents, leaving them exposed to potential misuse. These incidents underscore a troubling trend: companies are collecting more personal data than ever before, yet many are failing to implement the necessary safeguards to protect it.

The broader implications

The MyGiftCardSupply incident serves as a stark reminder of the risks associated with poor cybersecurity practices. As companies increasingly rely on digital platforms to collect and store sensitive information, the need for robust data protection measures has never been greater. Unfortunately, many businesses continue to prioritize convenience over security, leaving customers exposed to unnecessary risks. Moreover, the incident raises questions about the effectiveness of KYC regulations. While these rules are intended to protect consumers and prevent fraud, they can also create new vulnerabilities if companies fail to handle the data responsibly. In this case, MyGiftCardSupply’s failure to secure customer data has effectively turned a regulatory requirement into a liability. In the wake of this breach, it is imperative that MyGiftCardSupply take immediate action to address the issue. This includes notifying affected customers, conducting a thorough investigation, and implementing stronger cybersecurity measures to prevent future incidents. The company must also be held accountable for its failure to protect customer data and its lack of transparency in the aftermath of the incident. For consumers, this incident serves as a cautionary tale. It is essential to remain vigilant when sharing personal information online and to choose companies that prioritize data security. The responsibility to protect sensitive information must be shared by both businesses and consumers. In the meantime, the MyGiftCardSupply incident is a sobering reminder of the consequences of poor cybersecurity practices. It is a wake-up call for companies to take data protection seriously and for regulators to ensure that KYC processes do not inadvertently put consumers at risk. Until then, incidents like this will continue to erode trust in the digital economy, leaving everyone vulnerable. Sources for this article include: TechCrunch.com ReclaimTheNet.org JLTee.Substack.com

glitch cybersecurity data breach cyberwar information technology computing privacy watch gift cards KYC