An ICO that took the personal information of more than 15,000 participants left their details on a publicly accessible WordPress registry, it has been discovered. The revelation came to light via a blog post by MyCrypto’s Head of Security, Harry Denley, who had been informed of a potential scam ICO and did some digging. What he found, among other red flags, was that he was able to easily view and download the details of all the ICO contributors, including names, passport photos, driving licenses, selfies, and more. The revelation raises serious concerns about how securely sensitive information is being stored by cryptocurrency projects.
Risk of Identity Theft
Denley doesn’t mention the name of the project, but he does reference that fact that their team includes “…experts from Data Management, business management, logistics specialists, IT-experts etc for developing complex IT- and blockchain-solutions…”. You would think then that they knew a thing or two about how to look after sensitive personal data, but either the whole project is a scam (Denley doesn’t state his opinion) or they just didn’t take the security of personal data seriously. Information such as this could be very lucrative for those who make money selling data on the dark web and could have a serious impact on the lives of those who trust unknown projects with their personal data, as Denley outlines:
These types of documents are important. If passed to the wrong hands and combined with other data, people can use these to damage you in various ways: they can steal your identity, steal your money, destroy your credit rating, destroy your reputation, and cause major problems in your life.
Do Your Research
Seeing as all reputable ICOs demand, or should demand, KYC or anti-money laundering (AML) documentation from investors, thousands of people at a time are putting their faith in what are essentially startups, many of which have very little capital and therefore cannot usually afford the kind of secure document storage as we would like to think they do. As we can see with this case, a project can boast about the personnel they have on board, but that doesn’t always translate into the correct security practices. Once again with crypto, it’s a case of do your research before handing over your money, or your personal data.