Show me the consequences. I hear there are supposed to be repercussions, but these asshats never seem to pay for their crimes.

Wow it's insane that Cambridge Analytica is still around after the scandals.

Ok, let's use that and put the other two in the toptext.

I think every SSN is already leaked and government is doing nothing. I tried to change SSN and they told me it is not possible.

I've had stuff like this happen too, and always wondered if they really leaked my data or were just notifying everyone whose data they possibly leaked.

  > Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.

Might KYC laws and general CYA policies prefer to keep the proof of age? For instance to protect e.g. against a minor altering the date on their passport. Especially in such a regulated industry.

There are established ways / protocols to hold and provide cryptographically valid proof of a verification process, without any need to keep the actual id images in any storage. And to my knowledge there is no requirement for compliant KYC (Know your customer) to provide their ID as a proof as long as the verification process itself is compliant and audited in accordance to certain criteria.

You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.

>Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement,

Right, and keeping old passports used for verification should cause an audit to fail.

I have a story about this, although it's a bit convoluted and not entirely related. But it does showcase low-value usecase compromising a high-value auth mechanism.

I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.

We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).

Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.

As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:

1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.

2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.

I'm not sure how it works in the EU, but in the US, most states have a "PMP" (prescription monitoring program) that tracks the sale of marijuana in many states (nevermind that its not an actual prescription, but it is a controlled substance) and viewable by your doctor back up to ~12 months or so. Most people don't know this however and think it works like alcohol sales where it's sold after ID verification and then everyone forgets about it. Some states treat marijuana sales like prescription drug dispensing, it has to be reported to a central database including the intimate details of the persons involved. I have no idea if this is the case in Spain, however.

Compared to what what option, clay tablets of cuneiform? :p

In terms of significant danger, perhaps you're thinking of nitrocellulose movie film that was phased out in the '50s.

Stealing a shoebox of photocopied passports from every hotel in the city sounds like way more work and way riskier than downloading an already aggregated trove of digital data.

My guess is that the machine readable chip standards and the production quality required to replicate a physical passport are high enough that only the most organized of organized crime can fake the highest value passports effectively, and if a passport is easy to replicate, it is less likely to have visa free access to most countries.

To second the photographed/photocopied requirements, as an expat, I am frequently asked to send a scan of my passport to people or entities that are not necessarily the most secure.

I also have a couple of important documents that are literally PDFs. My Canadian citizenship certificate is a PDF with a barcode in it, that I can print off a copy of if I need to mail it, or show on my phone to a consular office or a border guard if needed. My work visa here in New Zealand is a PDF with my passport number and a visa number, which my workplace and bank checked with an online database. Fundamentally, these and my passport are pointers to a row in various databases.