Reports of Unauthorized Access at Onfido Raise Concerns Over KYC Data Security

Abeerah Hashim  - Security Expert
Last updated: July 11, 2026
Share
Reports of Unauthorized Access at Onfido Raise Concerns Over KYC Data Security
  • Reports of unauthorized access involving identity verification company Onfido have renewed concerns about how companies store and protect KYC data.
  • The reported incident may involve identity documents and facial selfies used during customer checks, although many details remain unknown.
  • Privacy experts say the case shows why storing large amounts of personal identity data with one provider carries serious risks.

Businesses use identity checks every day to confirm who their customers are. Many of them trust outside companies to handle this job. One of those companies is Onfido, which is now part of Entrust. Now, reports of unauthorized access involving Onfido have sparked fresh concerns about how companies protect sensitive customer information.

Only a few details have become public so far. Online reports claim someone may have accessed identity documents and facial selfies that customers uploaded during identity checks. The reports also say French fintech company Spiko informed some affected users about ten months after discovering the incident.

At the time of writing, neither Entrust nor Spiko has shared detailed public information explaining exactly what happened or how many people may have been affected. As a result, many questions remain unanswered. Still, cybersecurity and privacy experts say this case highlights a much larger issue that reaches beyond a single company.

Companies store some of people’s most sensitive information

Identity verification providers play an important role in today’s online world. Banks, cryptocurrency exchanges, fintech firms, online stores, and many other businesses use these companies to confirm customer identities. To complete those checks, customers often upload passports, national ID cards, driver’s licenses, proof of address documents, and facial selfies.

That means these providers hold huge collections of highly sensitive personal information. This also makes them attractive targets for cybercriminals. Unlike passwords, people cannot simply replace their faces or many government-issued identity documents after they become exposed. A stolen passport image or facial verification selfie could remain useful to criminals for many years.

That is one reason privacy experts continue to warn about protecting identity data. The reported incident comes while Entrust continues adding Onfido into its business after acquiring the identity verification company earlier this year.

Entrust has expanded its identity security services by combining Onfido’s technology with its own products. Even though investigators have not confirmed many details about the reported incident, the case has renewed public discussion about how identity verification providers protect customer records.

Privacy experts continue to warn about centralized KYC systems

The reported incident also comes as more businesses and governments expand digital identity checks. Many financial services, online platforms, and age verification systems now rely on third-party providers to verify customers. Privacy advocates have raised concerns about this approach for years.

They say placing millions of identity records inside a small number of companies creates valuable targets for attackers. Even when companies use strong security measures, storing so much information in one place increases the possible impact if an incident happens.

The debate over digital privacy is global. China has been tightening controls on internet access, including a crackdown on unauthorized VPN use.

A single security event could expose information belonging to many people at once. Entrust also discussed this growing problem in its 2026 Identity Fraud Report.

According to Entrust, identity attacks continue to become more advanced each year. The company said criminals now use more AI-generated deepfakes, biometric fraud attempts, and other identity-based attacks. Entrust believes organizations should not rely only on one identity check. Instead, the company says businesses should protect customer identities throughout the entire relationship.

The reported Onfido incident also reflects a wider trend across the identity verification industry. Several providers have disclosed security incidents or data exposure cases in recent years.

Those events have led to closer attention on how KYC providers collect, store, and protect customer information. Researchers also continue to warn that identity verification companies manage some of the most sensitive information in the digital world.

A majority of these providers store government-issued identity documents together with biometric information, making their databases especially valuable if attackers ever gain access.

Many questions still remain unanswered

A lot of facts about the reported Onfido incident remain unknown. Officials have not confirmed the total number of affected users. They also have not confirmed exactly what information someone may have accessed. Until more details become public, businesses that depend on outside identity verification providers will likely face more questions from customers.

People may want to know how long companies keep identity records. They may also ask how quickly businesses respond after discovering a security incident. Another important question is how openly companies share information with affected users. The reported incident has also renewed debate about the risks of keeping large amounts of KYC data with outside providers.

As governments and private companies continue expanding digital identity requirements, protecting that information becomes even more important. Checking a person’s identity is only one part of the job.

Companies must also protect passports, identity cards, facial selfies, and other personal records after collecting them. For now, the reported Onfido incident remains under review, and many important details have yet to be confirmed.

Until more information becomes available, the case continues to remind businesses that collecting identity data also brings the responsibility of keeping it safe.

Share this article

About the Author

Abeerah Hashim

Abeerah Hashim

Security Expert

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

More from Abeerah Hashim

Comments

No comments.