Trusted With Your Identity, Careless With Your Data
In this article:
You’ve probably already heard that ‘data is the new oil’.
It’s a good analogy, because neither have much utility in their crude form and need refinement to become useful, both rely on complex, large-scale infrastructure for extraction and distribution, and both are now considered key resources needed to drive a modern economy.
Like oil, data is now considered strategically important for nation states to secure a competitive advantage, and the companies that collect, control, and analyze it have become some of the most powerful in the world.
Unfortunately, the similarities don’t stop there. Just like when an oil tanker spills its contents into the ocean, data leaks are also unmitigated disasters that are difficult if not impossible to clean up.
Once your data is leaked, and your details end up on the dark web, there’s no recourse, no way to have it removed, and it will remain available for anyone motivated enough to find it. If it falls into the wrong hands, then it can cause you real problems, like exposing you to ID theft, fraud, or even physical attacks.
Despite these risks, governments and big tech are constantly inventing new methods to erode your privacy, and harvest more of your personal data. You now have to verify your identity to travel, access public services, purchase medicine, and in some countries, even to access social media.
In authoritarian regimes like the UK, for example, you’re now required to have a license for even the most basic things, like watching TV, or owning a chicken.
This is creating serious problems. Every detail of our lives is being tracked and monitored, but the people responsible for collecting our data aren’t competent enough to keep it secure. Billions of records are stolen, leaked, or lost every year, and the problem is only getting worse.
Data leaks happen far more frequently than oil leaks, but don’t receive anywhere near the same amount of media attention. So this week, let’s explore just how common they are, and what can be done to protect ourselves.
IDMerit Exposes 1 Billion Personal Records
We saw the perfect example of what can go wrong this week when it was discovered that global software provider IDMerit exposed the personal records of over 1 billion people from 26 different countries.
IDMerit is an AI-powered software provider that helps organisations verify people’s identities to ensure regulatory compliance and prevent fraud. They offer services like Anti-Money Laundering (AML) screening, document verification (passports, driver’s licences, national IDs), and age verification. By drawing on government records, credit files, and over 580 ID document types, their claim to fame is being able to authenticate identities across more than 180 countries.
It all sounds quite impressive, until you discover they don’t know how to secure any of it.
The most concerning thing about this incident is that IDMerit wasn’t the victim of a sophisticated hack. Instead, the company accidentally left a massive database online without so much as a password to protect it. An unprotected MongoDB instance containing nearly a terabyte of KYC data was left completely exposed, and the company was blissfully unaware until they were informed by a research team at Cybernews.
The scale of the exposure is staggering. The database contained over three billion records in total, with at least 1 billion containing sensitive records including full names, addresses, post codes, dates of birth, national IDs, phone numbers, gender, email addresses, telco metadata, and social profile annotations.
Reports suggest the database has now been secured, but the company still hasn’t had the decency to make a public statement. What we will never know is who else might have accessed and downloaded the data before the issue was resolved.
The bottom line is that the people demanding you hand over your identity to access essential services are wholly incompetent at keeping it secure.
Your Data Isn’t Safe
IDMerit is not an isolated case. If you look back over just the past 12 months, you start to understand the scale of the problem:
In August 2024, National Public Data (NPD) a Florida-based data broker that scrapes and aggregates public records for background checks had its entire database stolen. Nearly 3 billion US records were leaked on the dark web, with the stolen data including names, social security numbers, home addresses, and known relatives.
A combination of ransom demands from the hackers and huge class-action lawsuits ended up forcing the company to declare bankruptcy.
In October 2024, Transak, a company that offers KYC services to crypto companies, was hit by ransomware attackers who walked away with 300GB of passports, selfies, proof-of-address documents, and financial statements belonging to over 93,000 users. The group publicly threatened to sell whatever Transak didn't pay to suppress.
Transak at first refused to pay a ransom before later offering $30,000 for the attackers to delete the data. The hackers scoffed at the low offer and opted to sell it on the dark web instead.
In May 2025, Coinbase disclosed that overseas support contractors in India had been bribed to steal customer data from up to 70,000 users. Names, partial social security numbers, and government ID images were all exposed.
These unfortunate users now have to accept the reality that their identity will forever be linked to their interest in crypto. Nice work Brian, perhaps you should spend more time on security protocols than shitcoin launches.
In October 2025, a vendor called 5CA that Discord used for age verification services was compromised via their support ticketing system. It resulted in the leak of over seventy thousand government IDs that were collected to check whether teenagers were lying about their age.
Again, a system designed to ‘protect’ young users ends up doing the exact opposite.
In January 2026, the same researchers who discovered the IDMerit leak found another database sitting completely open on the internet. It contained 8.73 billion records belonging to Chinese citizens that included their names, home addresses, national IDs, passwords, and social media accounts.
Nobody knows who owned it or how it got there but what researchers could piece together was that the data hadn't come from a single breach, it had been quietly gathered from dozens of different sources over a long period of time. Someone somewhere was building an enormous, searchable library of personal information about Chinese citizens and was leaving it publicly available for anyone to see.
Close to a billion people may have had their most sensitive details exposed, and just like every other case on this list, there’s nothing any of them can do about it.
These 5 examples alone account for over 10 billion records that have been exposed in the last 12 months, which tells you everything you need to know about the scale of the problem. The idea that these companies are able to keep your data secure is a complete fallacy, and by leaking so much data, they facilitate more fraud than they prevent.
KYC Is the Illicit Activity
Let's talk about what KYC is actually for.
The stated goals are to prevent money laundering, stop terrorism financing, and keep the financial system clean. The problem is, KYC and AML rules demonstrably don't achieve them.
The largest money laundering scandal in history saw over $160 billion in suspicious transactions flow through Dankse Bank’s Estonian branch despite the bank being fully ‘KYC compliant’ throughout. And similarly, HSBC were caught laundering money for Mexican drug cartels for years, but somehow their stringent AML and KYC policies didn’t manage to prevent it.
The biggest financial crimes in recorded history were committed by institutions that ticked every box on the compliance checklist.
Meanwhile, Chainalysis reported in 2025 that illicit activity accounts for less than 1% of all crypto transactions. The narrative that Bitcoin is a tool for criminals has always been a deliberate misdirection. Cash, correspondent banking, and shell companies remain the preferred vehicles for serious financial crime and no amount of passport details collected from private citizens is going to change that.
So, if KYC doesn't catch criminals, what does it actually do?
It creates a detailed, permanent, centralized record of your financial life, maps your legal identity to your transactions, and gives governments and financial institutions the infrastructure to monitor, censor, freeze, or confiscate at will. It’s a surveillance system wearing a consumer protection costume.
KYC doesn't protect you from criminals. It hands your most sensitive personal data to a rotating cast of companies who have demonstrated, repeatedly, and at scale, that they cannot keep it safe. The data was never collected to catch the bad guys. It was collected to monitor and control you.
Protect Yourself – The Bitcoin Way
Just because these companies are careless with your data doesn’t mean you have to be. You are not completely powerless. The tools to meaningfully protect your privacy already exist; they work, and most of them are either free or close to it.
All you need to do is learn some new skills and put some new protocols in place.
When it comes to protecting your data and online privacy you can start by using nyms, open-source VPNs, disposable email addresses, and privacy browsers. And if you’re serious about it, you can upgrade to using privacy phones, non-KYC sim cards, and start exploring sovereign computing to reduce your reliance on big tech providers.
And you can protect your financial privacy by buying non-KYC Bitcoin, storing it in full self-custody, running your own node, and exercising proper UTXO management. You can even spend it privately by making use of the lightning network or by funding non-KYC Visa and Mastercards.
You can seriously improve your privacy and security with just a little concerted effort.
Nobody is going to protect your data for you, and the companies collecting it won’t keep it safe. You need to learn to protect yourself now, because every day you wait, the leaked databases get that little bit bigger.
When you want to be the one in charge of what data you reveal and when, book a free 30-minute call with one of our experts and we will teach you everything you need to know.