A database of almost a million passports from around the world was leaked online.
Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Bob Dobbs • June 26, 2026 7:50 AM
I got a giggle out of CA reporting on CA’s data collection without consent in the linked article. Needed that, been a rough week XD
Druggy Coding • June 26, 2026 9:40 AM
Might want to prevent your coding team from smoking on duty.
I coded for a few weeks while on prescription hydrocodone after some surgery. Don’t worry. It was for an avionics system that only impacted a few human lives who were risk takers already. Just because I wanted to go dancing every day, that shouldn’t matter, right?
Rontea • June 26, 2026 10:50 AM
Nearly a million passports left sitting on the open internet with no authentication and no encryption is not a sophisticated cyberattack—it’s negligence. Threat actors don’t need to break into a system that’s already wide open.
When organizations collect this level of personally identifiable information, they’re taking on the highest form of risk. And yet, here we have an operation that treated digital passports like they were disposable images on a public server. No access controls. No audit trails. No serious defense-in-depth posture.
The takeaway is simple: if your business depends on processing identity documents, you must treat that data with the same rigor as a bank treats its vault. Implement access controls, encrypt at rest and in transit, monitor for anomalies, and have a defined incident response plan. Misconfigurations at this scale don’t just harm customers—they erode trust in the entire ecosystem.
If you’re in the business of handling sensitive data, this is your cautionary tale. Security is not optional.
Anonymous • June 26, 2026 11:01 AM
Modern man believes he is free because he can verify his identity to buy trivialities, yet he entrusts the sacred document of his existence to the machinery of commerce. A passport, once a symbol of sovereignty and dignity, is now a token in a game of petty transactions. When the banal world of dispensaries mishandles the keys to the kingdom, we see the triumph of the insignificant over the essential, and humanity applauds its own captivity.
@Bill Dietrich
The software company Nefos has been in touch with Ireland’s Data Protection Authority (DPC). It’s co-founder tells The Verge: “We have to communicate to everyone that was potentially exposed.” Nilsen says he hopes the DPC can show them how to do this properly.
He adds they are parting ways with the company 9series, who he says created vulnerable APIs. And he’s aware they may get a penalty under EU Law as they did not disclose the breach within 72 hours. French security researcher Sammy Azdoufal discovered the 985,000 photo IDs online.
Clive Robinson • June 26, 2026 12:00 PM
@ Rontea, ALL,
With regards,
“And yet, here we have an operation that treated digital passports like they were disposable images on a public server. No access controls. No audit trails. No serious defense-in-depth posture.”
Seriously what do you expect?
US law is pulling in “Know Your Customer”(KYC) requirements into ever larger parts of commerce.
However there is no counterbalancing legislation to protect citizens privacy with the same sorts of punishment for commercial entities as failing KYC requirements.
The reason for this is the “holy House of neo-co captipalism and,
“Never leave money on the floor.”
All of the things you suggest would cost more than a brown envelope in a legislators political fund etc.
If you want even basic protections for citizens, you have to have legislation to make doing anything else way to costly.
They say you can not put a commercial entity in jail, but all such entities are required to have named and ID produced controling personnel. Just having a “No Defence” sentence giving all of them a weeks imprisonment for each set of citizens details lost to be served consecutively with no parole and in Super-Max style isolation, might be a wake up call.
Oh and another piece of legislation requiring controling officers of commercial entities to be like the US President… An over the age of 35, full citizen, born in US territory, and still resident along with provably having payed in full all taxes owed.
Yes I know it’s bot going to happen with any of the current or likely future legislators.
It’s why for years I’ve said “get the shady “money out of politics”.
In the US,
“Church and State are supposedly separate”
You need the same for commercial entities and any part of the State.
Mexaly • June 26, 2026 12:27 PM
Check for elected representatives in the data dump, and publicize any that are found.
They’ll react more appropriately when they have, “Skin in the game.”
Clive Robinson • June 26, 2026 12:39 PM
@ KC, ALL,
With regards,
“The software company Nefos has been in touch with Ireland’s Data Protection Authority (DPC).”
Are you aware of the controversy surround the Irish Data Commision “Niamh Sweeney”?
She was previously a senior lobbyist at Meta, raising concerns about conflicts of interest and impartiality in regulating big tech firms she previously worked for.
Then there is the “chery on the cake” of her having signed the “life long Meta NDA” just like “sarah wynn williams” who was dismissed by Meta and forced to sign a highly questionable NDA (even under US legislation). She turned author and wrote a book highlighting very bad behaviour in Meta and the attempts of Mark Zuckerberg and other executives to silence her.
Behaviour that was carried out in the UK that was illegal,
Oh whilst it’s likely that Mark Zuckerberg’s and Meta’s behaviour whilst not changing Federal law under the current US Executive, may well push various states to change employment legislation further to stop this form of nonsense.
keepTheInternetFreeNoAgeVerification • June 26, 2026 2:01 PM
Another reason to support projects like Ageless Linux (preventing age-related ID verification being embedded at the OS level), Tor (anonymised browsing, though too easy for clear-web websites to recognise Tor exit nodes and block traffic from them), and Amnezia (a private VPn server setup architecture). Always safer to find a way round “age”-verification rather than comply and hand over all your details to be, inevitably, leaked.
no fonzanoons • June 26, 2026 2:52 PM
@Clive
You were right about not sharing data. Thank you for all your good advice.
lurker • June 26, 2026 2:55 PM
The researcher presents his analysis at
‘https://github.com/xn0tsa/because-i-got-high
Clive Robinson • June 27, 2026 4:26 AM
@ lurker, ALL,
With regards “xn0tsa” link you gave.
It makes two points that most are not actually aware of,
1, Certain types of personal Data are actually “classified” at an equivalent to “confidential” or above.
2, Information you give in one jurisdiction for “a legal activity” there, can lead to a death sentence in another jurisdiction with out you having to be there or doing anything illegal in that jurisdiction.
I don’t intend to go through Document Classification for a couple of reasons, firstly it has a jurisdiction variable component (the reason in part why EU GDPA came into effect). Further it is complicated by other jurisdictions legislation equivalence. Secondly you can look it up, with Wikipedia giving an overview and links / references to the respective laws,
‘https://en.wikipedia.org/wiki/Classified_information_in_the_United_Kingdom
The important part to note is that all these document classifications are designed not just for the protection of the State, or National Organisation, but individuals as well.
One obvious reason for this being in the case of medical records, you might have lawfully carried out an act in a jurisdiction in the past that could be used to your detriment in another jurisdiction or future time (think about what is currently going on with Flock and other surveillance and Women’s personal sexual health and similar in the US currently where a “burn the witch” type mentality has come to the fore).
It’s why the UK has both a 30year rule and a 100year rule, as do other jurisdictions, as well as the equivalent to the old “NO FOREIGN” or “UK EYES ONLY” or similar.
It’s a complex subject that has a lot of wrinkles in it which many Politicians and Drum Bangers and similar hope you are not cognizant of.
One such is that “editing or appending” to a document it legally inherits the rules of when the document was first created.
The reason for this was to stop “edit windows” being used to in effect “remove classification protection”.
The previous UK political incumbents under Boris Johnson when giving the UK National Health Records to US Mega-Surveillance and AI company Palantir. He had no excuse because due to Cambridge Analytic and it’s political fall out he would have been well briefed on the subject.
But what the heck as I’ve mentioned before I’ve had personal experience of the Self Entitled Narcissist who used a “bumbling persona” to get away with undesirable, illegal activities.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bill Dietrich • June 26, 2026 7:20 AM
I’m sure my passport is in this breach, but I haven’t been notified. Has anyone affected been notified ? This breach is 2 months old, I think.