[nothxbro]

Ok, some good news. It might be untrue about them having passport scans. Reason I say that, is the following:

We know from the leaked mtgox crisis plan doc that they have 550,000 verified accounts.

Each user who wanted to be verified had to scan at least 2 documents- a passport+license and a electric bill of sorts.

Assuming both documents alone were only 100KB combined (and its likely way more than that since scans are usually 500KB+ per document) than we can estimate the file size:

550,000 x 100KB = 52.45GB

Thats more than double the claimed 20GB.

In fact, even if we believe that every persons doc is in the DB; and assuming nothing else but passports is in there- you are only allowing for 20KB per document

[nly]

My guess is any passport scans would just be any recent web uploads made by users trying to verify their accounts and thus copied off the web server filesystem, not their customer database. Once verified these documents would be moved somewhere else, one would hope.

In any case, regardless of what was found or how, it's completely inexcusable that such sensitive data isn't encrypted asymmetrically the moment they receive it.

[mschuster91]

It is possible for them to extract the MRZ data of the passport (the Machine Readable Zone), it contains the passport ID, issuer state, DOB and DOE.

I don't know if the regulatory requirements state that you must keep a photocopy, but in case you do not it would be foolish to store more data than you need.

[alcari]

That may be possible, but they also accepted non-passport images, which don't necessarily have such information.

[talkingquickly]

My impression was they were claiming to have passport scans and a 20GB DB dump, e.g. that they were separate?

[datphp]

They might very well have a "verified" column in their DB, and the scans archived or discarded.

[bencollier49]

Perhaps Gox lost two thirds of them. Or the hackers didn't download them all.

[ekianjo]

especially since they required passport scans in color and high resolution (at least 200 dpi).

[uid]

so Gox were also leaking passport scans?