GoPass, a Colombian paytech company, displayed utter negligence by leaving its Google Cloud Storage bucket open to anyone online. This bucket held sensitive information about a million Colombian citizens and businesses.
GoPass offers a single window solution to drivers for the payment of road services, tolls, gas stations, car washes, and parking lots, along with fine settlement and access roadside assistance.
Until the first half of 2023, the app demonstrated significant growth and was serving 350,000 cars and trucks and facilitating over 6 million transactions. This success was recognized by investors, leading to $15 million in funding from Kaszek Ventures in Brazil.
The uncovered storage bucket, apparently intended for a payment app, held more than 800,000 sensitive documents containing drivers’ transaction data. The data leak includes details like vehicle license plate number, taxpayer iID [Número de Identificación Tributaria (NIT)], a Unique Personal Identity Number [Número Único de Identificación Personal (NUIP)], date and time of transaction, contact details, email address etc.
With all the necessary information at hand, threat actors could recreate an exact replica of the vehicle, including the make, model, and color, making it nearly identical to the original in the eyes of the government and law enforcement. The only way to tell the difference between the real and fake car would be by checking the VIN, which would require pulling the vehicle over for inspection.
Another risk that emerges with this leak is that of financial fraud. Access to personal identification numbers (NUIP or NIT) and other personal information allows malicious actors to open bank accounts, apply for loans in the victim’s name, or commit other types of fraud.
Such negligence of service providers can cost citizens in multiple ways, and they would end up getting impacted. Service providers are expected to manage the security of information that passes through them or is stored in their databases. Regular Security audits and security assessments need to be enforced by the government, and any failure to adhere to the agreed compliance needs to be dealt with with strict action.