Sentinel Chain, a startup that vows to “unleash the economic potential” of the poor, recently launched its initial coin offering (ICO). Reportedly, the company’s know your customer (KYC) system had a critical vulnerability that leaked investors’ passport data.
As reported by the International Business Times, Sentinel Chain was forced to halt its ICO after it was notified the system was leaking its users’ personal data. Leaked data included their email addresses and images of their passports.
The company already confirmed the issue through a blog post, in which it detailed the impact of the vulnerability. Per the company’s CEO Roy Lai, submitted information was encrypted in Sentinel Chain’s database. A vulnerability allowed registered users to access uploaded files.
While the company didn’t reveal how many users were registered, it reported over 1,000 registrations in the first 10 minutes of applications. Lai revealed that Sentinel Chain was able to identify 15 individuals who attempted to exploit the glitch.
Although 15 attempted to exploit it, seemingly only 21 were affected. Lai stated:
“At the same time, the team identified the 21 registered participants who have been affected by the incident. Over the past couple of days, I have been personally reaching out to them to assure them that we are taking all necessary steps to protect their personal information.”
Per the company, users who found out about the vulnerability seemingly did so unintentionally. After reaching out to the individuals who gained unauthorized access, Sentinel reportedly managed to gain their “compliance and co-operation to destroy the files”. He added that no evidence suggests there was a malicious attack.
Nevertheless, as required by law and on the advice of legal advisors, Sentinel Chain notified authorities and law enforcement agencies, he said.
Sentinel Chain reportedly called police on user who found the glitch
At least one of the users who gained authorized access was seemingly turned over to law enforcement. According to a now-deleted Reddit thread, the user claims to have reported the vulnerability to the company, just so he could then be accused of illegally accessing the information.
The Reddit user noted that as a thank you for reporting the glitch, he was being investigated. He said:
“A couple hours later I received an e-mail from InfoCorp, the company that owns Sentinel Chain saying that they have notified the relevant authorities and that they are in consultation with their legal advisors on pursuing such unauthorized access to the maximum extent permitted at law including under the Computer Misuse and Cybersecurity Act (Chapter 50A).”
Sentinel Chain has since announced its ICO will resume registrations on February 10. Notably, it had recently signed a partnership with blockchain solution VeChain, which could’ve drawn in potential investors.
This is the latest case in which potential ICO investors suffer. Investors who wanted to get in on Ethereum-based Prodeum’s ICO saw the team behind it pull an exit scam. Experty’s ICO faced a different fate, as a hacker netted $150,000 worth of Ether after phishing its investors.