A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.
He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.
A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.
All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.
The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.
The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.
Isn't this classic wrongful termination?
The image of people standing up for the noble whistleblower is far from the truth. Disclosing the company here won't achieve anything apart from garnering a few karma points and generating some short lived outrage at the company.
I'd consider disclosing it to the ICO, and made tentative steps in that direction at the time, but it's not clear that they are interested and whose interests they would protect.
Here's a question that might make this discussion useful: What is people's experience of reporting data breaches to the UK's ICO? In your case, was meaningful action taken by the ICO and was the person doing the reporting protected? .
But it's easier to say that people are removed by design from the consequences of their acts so it's not easy to take the right decision for anyone. It's just not convenient, instead.
To his credit, the family member took it as a life lesson and moved on (probably more than I have given my posting here). These days he deals with companies that value his contributions, and it turns out that his ex-employer's loss is other companies' (significant) gain.
There is a reason why numerous security features are embedded in physical documents like watermarks, holograms and NFC. That's so the authenticity can be inspected in person. A picture has none of those, so it should not be treated as a credential.
Because there is no other universal method that works online, and because companies don’t really care about identity verification – they just need something “good enough” so that they can say “hey, we’ve followed industry standard protocols, how could we have known this passport scan was photoshopped?”
And to be honest I think it’s for the best. I really don’t want to be scrutinized even more online (and give even more personal data so it gets leaked a couple years later).
I don't think you should be able to do anything with your passport online. That's a document that should only have value if you're actively holding it in your hand.
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
Friction and delay have always been aspects of security.
We are not there yet, Sir. First you must provide inheritance document showing the amount inherited and deed of purchase and sale of real estate. This is the law.
Since then, I do not allow the scans anymore. It is a dreadful feeling showing up to a hotel not knowing if you'll get turned away at the last minute because you take a stand for your privacy. So far, none have been willing to lose the bookings, but I know sooner or later my luck will run out and I'll have to find last minute accomodations.
To second the photographed/photocopied requirements, as an expat, I am frequently asked to send a scan of my passport to people or entities that are not necessarily the most secure.
I also have a couple of important documents that are literally PDFs. My Canadian citizenship certificate is a PDF with a barcode in it, that I can print off a copy of if I need to mail it, or show on my phone to a consular office or a border guard if needed. My work visa here in New Zealand is a PDF with my passport number and a visa number, which my workplace and bank checked with an online database. Fundamentally, these and my passport are pointers to a row in various databases.
So you cant fake non-existing passport because of issuer signature, but cloning is not a rocket science for many countries passports.
Why do these systems hold onto user's data post verification?
Depending on the company, you could rate the reasons on a scale from "incompetence/naivete" to "revenue stream".
The real problem is that there aren't many options for real authentication over getting people to upload pictures of high-value credentials. Now every service has to be a security expert, like encrypting the images at rest so they aren't the ones who leak it.
It's kind of like how dumb our credit card system is where you have to both share a secret with everyone (from random websites to random restaurants) while hoping the bad guys never get it because the secret can be used anywhere. It kinda works against everyone except the bad guys.
Maybe it's time we come up with a deliberate system.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
It’s somewhat understandable but also part of the problem.
https://azcir.org/news/2025/04/10/are-az-medical-marijuana-c...
This statement is about as accurate as saying the US doesn't have a common language, or Vatican City residents don't have a common religion.
https://en.wikipedia.org/wiki/Economic_and_Monetary_Union_of...
The European Union consists of 27 countries.
25% of them did not adopt Euro as the currency.
"common" language is orthogonal here - it would be valid if you could legally use euro everywhere. You can't, it's not a currency in the quarter of the states. Sure, someone may accept it and offer you the exchange to the local currency.
Vatican City example is also not very good (to put it mildly), because Catholicism is a state religion. You're not going to be deported for being Sikh, yes, but it's akin to the Romanian not being deported form Portugal for carrying lei in his pocket.
Euro is NOT a common currency in the EU. It is by far the most popular. It is a common currency in the Eurozone countries. And these two are distinct from Europe as well.
I'd suggest you discuss your ideas with someone before posting them again.
Or, more politely, a suggestion to post arguments that are relevant.
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
Right, and keeping old passports used for verification should cause an audit to fail.
If there is a law about verifying buyers, how else are they going to pass that audit?
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
If the government-affiliated agency decides to check, they can.
But back to my original statement - unless they're explicitly mandated to keep it longer, they are forbidden from doing so, and their DPO would know it.
The auditor can act as a customer and validate whether phony credentials are rejected.
Find your rep at congress.gov. Email or mail them this article.
In another one I found all passports that had been scanned by a hostel in Bangkok.
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?
Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.
Until stupid s**t like this becomes illegal, it will just keep continuing.
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
The problem here is using a username (the ID) as a password (security check)
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
Anyway, yet another data breach incoming.
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
If someone takes a loan in my name and I don't receive the money it is not an identity theft it is fraud and the victim is the bank not me.
https://www.upguard.com/breaches/social-insecurity-billions-...
> Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…
I only recently started IDing myself online via eID (german) if available, before that it was usually that I went to the post office and get verified there
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
So its a feature, not a bug and a clever revenue stream for the governments?
https://ageverification.dev/av-doc-technical-specification/d...
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
...the obvious thing to deploy is a cannabis club bouncer that checks your ID with only his eyes and hands and either bounces you or lets you in, depending on the outcome of that check.
That's far simpler than involving some unrelated third party and far more secure than storing any information about the event in any computer.
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
You would be surprised what some courts already count as hacking
Check authbound.io
Edit: if it is only about authbound, maybe. But they are not the only ones offering this service
If the EU wants to continue down this road, step on has to be a mobile operating system. Avoiding tying solution to people phones would be better.
As long as there's no liability, there's no incentive to care.
Generally, these systems are designed by people whose only goal is to make money. Security is just treated as a liability until shit actually hits the fan.
Usually on plain "I don't consent on making copy, write down the data you need" they become more pushy and even aggressive.
The first step should be to show them the Privacy Authority press release[1] - "No to preservation of guest ID copies".
You should be prepared to be refused check-in if they're stubborn and feel like you "cause problems". The protection you have is that public service (hotel) is forbidden to refuse service by law[2][3], fine is €516 up to €3098. If it happens you should call police to verbalise and apply the fine. Refusal by police (Rifiuto di atti d'ufficio) is criminal offence and punishable with imprisonment 6mo - 2yr [4].
You should present ID to allow identification. The host must insert, by law at check-in time and not later(!), client data into police portal, like name, DOB, nationality etc.
Everything else is extra and by GDPR you should be informed of any data processing, basis of processing, duration of processing, and your rights.
You can write Garante della Privacy to signal violations of GDPR if you feel it's warranted. I know they're happy to investigate and apply big fines to larger companies, not sure about how they handle smaller companies, like hotels.
1- https://www.garanteprivacy.it/home/docweb/-/docweb-display/d...
4- Italian penal code Art. 328 Refusal of office acts https://www.brocardi.it/codice-penale/libro-secondo/titolo-i...
> Everything else is extra and by GDPR you should be informed of any data processing, basis of processing, duration of processing, and your rights.
It's basically common sense yet they still insist they have to copy the document "for the police". Almost as if they are specifically sourcing these copies for someone.
Turns out the local policemen asked verbally to make photocopies, just in case... The hotel is more afraid of the local police than of it's clients, so they just do it.
Since I was the only client who ever asked about it, and gaslighting me wasn't going to work ("everybody does it! what do you have to hide?"), they just gave me the copy to destroy.
Other places copy IDs because they're lazy and don't want to compile the required form on the spot. Not to mention ID photocopies floating around the reception desk in plain sight...
In Italy occasionally they find mafia members hiding for years in... their home regions or even villages. They absolutely keep it "just in case" and I would trust their local police /s.
https://boingboing.net/2026/06/28/a-million-passports-leaked...
We really need to start building a new form of “Democracy” in the backbone of not only that anything that the ruling class wants to apply to everyone else needs to be first implemented on themselves so to double the degree, but that all politicians, bureaucrats, and even contractors need to be bonded against their personal wealth for things they say, promise, contract, or agree to. It is high time that liars, cheats, frauds, and thieves just get to get away with little more than a shoulder shrug and their billions on plunder and lies.
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
> Are paywalls ok?
> It's ok to post stories from sites with paywalls that have workarounds.
> In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic. More here.
https://news.ycombinator.com/newsfaq.html
You can pay for the paywall, or there are ways around.
Author: Sean Hollister https://www.theverge.com/tech/947157/passports-data-breach-c...
Similar sounding (recent) leak: Hotel check-in system exposed 1M passports and driver's licenses (4 points, May/2026) https://news.ycombinator.com/item?id=48152759
So dystopian
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.
Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.
This is a side-effect of the SaaS era, and the model is broken.
Leaking PII should be very, very expensive, and then this idiocy would stop.
It should be criminal to leak PII, and company leadership should face imprisonment.
I strongly believe we should distinguish the price of doing the operation (aka rent) and the price of doing crime (ideally, jail).
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...
https://www.enforcementtracker.com/statistics
During vacation in an Asian country on the other side all of this was basically a no brainer for smaller to medium businesses. I once rented a scooter there and the business owner had all her documents organised in WhatsApp chats. Including now my passport plus drivers licence... The people in general in that country were also very relaxed when it came to giving out their contact details to random businesses.
I don't want to throw shade on them, thus no country name. Incredible friendly and welcoming people there.
They don't have a moral code, and they don't pay any price for mistakes.
They have zero incentive.
There’s an app for that: https://riskledger.com/
(Disclosure: skin in the game)