Can verification be done at the moment of authorization (issuer or merchant-side)?

Yes. The value is making the verification decision at transaction time, where issuers and merchants need an enforceable signal. A verification layer can return a YES/NO decision plus a proof object suitable for audit, rather than relying on after-the-fact logs.

IDMerit · KYC breach · PII exposure · Cloud misconfiguration · Zero PII · Stateless verification

The IDMerit KYC disaster: a terabyte of PII exposed

IDMerit, a KYC identity verification provider, was reported as leaving ~1TB of highly sensitive PII exposed due to a cloud storage misconfiguration. The dataset reportedly included names, physical addresses, dates of birth, and identity-document imagery spanning multiple countries.

This is not “just a bucket mistake.” It’s the predictable outcome of an onboarding model that collects and retains raw identity data at scale. When verification vendors hoard PII, one permissions error turns into an ecosystem-wide blast radius. AffixIO is built around the opposite approach: stateless YES/NO verification and proof objects—so you can make enforceable decisions without creating a toxic PII asset.

See how verification works. Try the live demos (simulated data) or view an agentic consent receipt + replay verifier prototype.

Try the live demo View consent receipt demo Get API access

Related: identity verification without storing PII · eligibility verification API · PII minimization trend · agentic proof

What happened: one bucket, one terabyte, 25 countries

IDMerit is a widely used provider of KYC and identity verification services. Organizations hand them sensitive data so that IDMerit can verify users: full names, addresses, dates of birth, and copies of identity documents. That data has to live somewhere. In this case it lived in a cloud storage bucket that was left exposed. Security researchers (and, in all likelihood, threat actors) discovered that the bucket was accessible without proper authentication. The result: a full terabyte of highly sensitive PII in the open. Full names, physical addresses, birthdates, and raw identity documents from users across 25 countries. One misconfiguration. No hack required. Just wrong permissions on a bucket that never should have been public.

The scale is the point. When you design a system that collects and retains every piece of PII that flows through KYC, you create a single point of catastrophic failure. The industry standard is to hoard that data: store it, back it up, feed it into workflows, and hope that every access control, retention policy, and cloud setting stays correct forever. It does not. Misconfigurations happen. Insiders happen. Third-party breaches happen. The IDMerit incident is a reminder that the fatal flaw is not just one vendor; it is the model. Hoard first, verify later, and hope the bucket is locked.

The fatal flaw: hoard radioactive data, hope the cloud is correct

The current onboarding and KYC industry is built on a dangerous assumption: that it is safe to centralize and store massive amounts of user PII. Vendors collect names, addresses, birthdates, document images, and raw IDs. They put them in databases and object storage. They rely on IAM policies, bucket permissions, encryption at rest, and access logs. When something goes wrong (a misconfigured bucket, a stolen credential, a vulnerable API), the entire trove is at risk. Companies are literally crossing their fingers that their cloud settings are correct. That is not a security strategy. It is a liability time bomb.

Regulators and plaintiffs do not care whether the exposure was due to a typo in a config file or a sophisticated attack. The data was stored. The data was exposed. The responsible party is on the hook. The only way to eliminate that risk is to stop storing the data in the first place. If you never collect or retain full PII for verification, there is no terabyte to leak. You can still verify identity and eligibility; you just do it by querying authoritative sources and returning a binary result. No document repository. No bucket of IDs. No radioactive asset.

The AffixIO play: verify without storing, no bucket to misconfigure

We flip the model. AffixIO does not collect or store KYC documents or PII. The Binary Eligibility Verification API accepts an identifier and a circuit_id. It consults external data sources in real time and returns only whether the subject is eligible: yes or no. There is no bucket of names, addresses, or raw IDs. There is no repository to misconfigure. The API response includes eligible and data_retained is always null. So you get the verification outcome you need for onboarding and compliance without creating the kind of toxic data asset that turned a single IDMerit bucket into a global exposure event.

Identifier + circuit → AffixIO / external source → Binary eligible / not → No PII stored

The pitch: no toxic data asset, no blast radius

We enable KYC-style verification and onboarding without the radioactive data. No full names, addresses, or document images in your pipeline or ours. No terabyte to leak. When you integrate AffixIO, you are not adding another system that hoards PII and hopes the cloud is correct; you are adding a layer that answers a single question (is this identity or entity eligible?) and retains nothing. Compliance and verification stay intact. The blast radius of any future misconfiguration or breach drops to zero for that flow, because there is nothing to steal. One wrong checkbox cannot expose a terabyte of user data if you never stored that terabyte in the first place.

Verify with the API

Behaviour is documented and verifiable. The Binary Eligibility Verification API at api.affix-io.com exposes POST /v1/verify (send identifier and circuit_id; receive eligible) and GET /v1/circuits to list available circuits. See openapi.json and the product page for the eligibility verification API. For KYC-style checks without storing documents or PII, use circuits such as kyc or consent-verification.

Want to see the decision shape before you integrate? Use the live demo (simulated data) or explore ACRRV for proof-based consent receipts with replay resistance.

Summary. IDMerit, a major KYC app, left a full terabyte of PII exposed (full names, addresses, birthdates, raw IDs across 25 countries) because of a misconfigured cloud storage bucket. That highlights the fatal flaw of the onboarding industry: they hoard radioactive user data and cross their fingers that cloud settings are correct. AffixIO verifies without storing. No PII repository, no bucket to misconfigure, no toxic data asset. Binary eligibility only. For API access and KYC-style circuits without PII storage, contact hello@affix-io.com or use our contact page.

Circuits for this trend

Use these circuit IDs with the AffixIO API. List all circuits: GET https://api.affix-io.com/v1/circuits (see openapi.json). Run a check: POST /v1/verify with identifier and circuit_id.

kyc (KYC Verification)
consent-verification (Consent Verification)
audit-proof (Audit Proof)
composite (Composite Circuit)
token-validation (Token Validation)

How AffixIO fits in

AffixIO provides the verification layer that does not hoard PII. After incidents like IDMerit, the question is not only how to fix the leak but how to avoid creating the leak in the first place. If the goal is to verify identity or eligibility, a binary result from a trusted API may be enough. No documents, no raw IDs, no bucket to misconfigure. For API access and KYC-style circuits that return only eligible or not (and retain nothing), contact hello@affix-io.com or use our contact page.

Frequently asked questions

What happened in the IDMerit KYC breach?

IDMerit was reported as leaving ~1TB of highly sensitive KYC PII exposed due to a cloud storage misconfiguration. The incident illustrates how one permissions mistake can expose a massive identity trove when vendors retain raw onboarding data.

Why is hoarding KYC data a systemic failure mode?

If your architecture depends on retaining document images and raw identity attributes, you create a high-value, long-lived target. A misconfiguration, compromised credential, or insider event can expose the entire trove. The safer model is to minimize retention and return constrained decisions or proofs instead of building a permanent PII repository.

What does “stateless YES/NO verification” mean?

It means the verifier evaluates a request against policy and trusted sources, returns a machine-readable YES or NO (optionally with a signed proof object), and does not retain the underlying personal data as a stored asset.

How does AffixIO reduce IDMerit-style risk?

AffixIO is designed as a privacy-first verification and decision layer. Instead of storing KYC document images, it returns a binary decision and keeps retention minimal—so you can verify without creating a new toxic PII asset.

Can issuers or merchants verify at the moment of authorization?

Yes. The point is to provide an enforceable signal at transaction time: a YES/NO decision and (where needed) a proof object suitable for audit—rather than relying on after-the-fact logs.

How does this relate to AI agents and consent receipts?

The same principle applies: systems should verify permission, scope, constraints, and replay resistance at the moment of action. For agentic transactions, consent receipts provide cryptographic proof that a user delegated authority to an agent under defined limits. See the consent receipt demo and agentic proof.

Explore API access for KYC-style verification without PII storage.

Contact our team

More trends · Trustless B2B onboarding · Sectors