1.6 Million IDs Exposed: Major Data Breach at Mexican Fintech Kapital

The Mexican financial services company Kapital, catering to small and medium-sized enterprises, has found itself at the center of a major data breach scandal. Cybernews researchers uncovered an exposed database containing 1.6 million photographs of voter identification cards and selfies intended for identity verification.

The database, hosted on Google Cloud Storage, has remained publicly accessible for over three months. Despite repeated attempts to notify Kapital and reports to Mexico’s CERT, access to the data had not been restricted even at the time of publication.

Experts emphasize that documents such as voter identification cards are widely used for identity verification, access to services, and conducting financial transactions. Their exposure jeopardizes the security and privacy of users, paving the way for fraud and identity theft.

Headquartered in Mexico City, Kapital serves approximately 80,000 small businesses, offering services including loans and credit cards. Its app has been downloaded more than 100,000 times, and the startup secured $165 million in investments from Tribe Capital last year. However, the company has yet to comment on the data breach.

The ramifications of such a breach could be severe. Malicious actors could exploit voter IDs to open fraudulent accounts, apply for loans, or carry out other scams. Victims may face financial losses, damage to their credit histories, and broader identity-related issues.

Under Mexican law, violations of data protection requirements can result in fines of up to $1.5 million. Cybernews experts urge Kapital to immediately restrict access to the exposed database, migrate it to a secure environment, and notify all affected clients.

At present, it remains unclear who may have accessed the data, but the absence of protective measures over several months raises serious concerns about Kapital’s approach to information security.