Passports and ID cards of thousands of TrueMove H customers leaked online


The personal data, including scans of passports and ID cards, of tens of thousands TrueMove H customers have been leaked online.

The data was discovered by security researcher Niall Merrigan who revealed his findings on his blog.

According to Mr Merrigan, the data was stored in an Amazon Service S3 Cloud storage bucket without any protection and which could be accessed by anyone who was able to find the URL.

The leaked data contained PDFs and JPG files of identification documents including passports and ID cards of 46,000 TrueMove H customers. The total haul measured 32GB of data.

Mr Merrigan said data was stored in the file format: truemoveh/idcard/YYYY/MM/FILENAME


Niall Merrigan –

Writing on his blog, Mr Merrigan said: “I checked the first couple of files in the directory and it was a picture of a Minion from Despicable Me and some were logos. This led me to believe that it was a development server, but the site name contained -prod, so I scrolled further down and opened a later file which was a scanned ID card of a Thai citizen”.

“At this point, I realised that they were storing scanned ID cards that they got from customers in this S3 bucket and there was no security on it at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details.

“In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.”

Mr Merrigan criticised the slow response of TrueMove H in dealing with the issue.

Despite reporting the data leak to the company last month, access to the data was only restricted on 12th April, The Register reported.

“I connected with True Move H on Twitter to ask for some contact information and they sent me to their support email address, Mr Merrigan wrote.

“I sent the details to their support department a full report on Saturday 10-Mar detailing how this was found, examples of the files that were available and asking to talk to their security team.

“The response was quite shocking. They admitted not having a security department and that I should contact their head office between business hours

Discuss this story in our forum


Comments are closed.