Company: Public KYC cache met retention rules, not a breach

Security researchers discovered a repository of customer know-your-customer records on an internet-accessible server last week. The firm that owned the files removed the cache from public view within hours and opened an internal review, officials reported.

The company explained the files were stored to meet anti-money-laundering and counter-terrorist financing retention requirements. Regulators in the jurisdictions where the firm operates require that customer identification and transaction records be preserved for a fixed period, commonly five to seven years after an account or service ends, the firm noted.

System administrators told investigators the exposed server was not part of the main production network and that access controls had been applied. The organization said access logs show no evidence of unauthorized downloads or lateral access from outside its network. Company representatives notified relevant regulators and informed affected customers where required by law. External auditors have been engaged to review data governance and archival procedures.

The stored records included scanned identity documents, proof-of-address documents and internal verification notes, the firm reported. The company stated that typically masked account numbers and other sensitive elements were not present in the exposed set. The firm declined to disclose how many individual records were involved but said early checks did not indicate misuse.

Independent cybersecurity professionals reviewing public evidence differentiated accidental exposure from a targeted intrusion. One consultant reviewing the case noted a public cache can result from a misconfigured server or an overlooked backup copy rather than stolen credentials and exploitation. The reviewer added that improper exposure represents an operational lapse that requires configuration and access-policy fixes.

Privacy and data-protection experts recommended measures to limit risk in retained repositories. Suggested safeguards included encryption of archived files, stronger access controls, routine scans for public exposure and reducing retention periods where permitted by law. The company said it will update procedures to ensure archival systems and backups are subject to the same configuration checks as production servers.

Regulators require KYC retention so authorities can reconstruct customer relationships and transactions during investigations and audits. Company officials and outside reviewers characterized the incident as related to retention and storage practices rather than evidence of a successful cyber attack.