🟠 High | Source: Schneier on Security
A database of nearly one million passport scans, collected by cannabis dispensaries for ID verification, was exposed online. The breach illustrates a systemic risk where high-value government-issued credentials are entrusted to low-security third-party systems. The passports themselves are not compromised at source, but the leaked data can enable identity fraud, account takeover, and document forgery at scale.
Security Architect’s Take: Audit any third-party or SaaS identity verification vendors in your supply chain — demand evidence of encryption at rest, access controls, and data minimisation practices. Where possible, push for tokenised or hashed identity assertions rather than storing raw document scans, and ensure vendor contracts include breach notification SLAs and data retention limits.
Original advisory: One Million Passports Leaked Online