Investors that took part in the recent initial coin offering (ICO) launched by cryptocurrency startup Sentinel Chain may have had their personal information—including passport photos—exposed due to a security vulnerability.

After launching its ICO on February 5, Sentinel Chain temporarily halted the token sale after it was notified that the system it used to verify its users was leaking the personal data that those users were supplying to the company.

Cryptocurrencies Cryptocurrency startup Sentinel Chain exposed investor data including passport images. Photo: David McBee/Pexels

In a blog post made Wednesday, the company acknowledged the issue that stemmed from the company’s KYC (know your customer) registration system and noted that some user information may be accessible to other users.

“All personal information submitted such as e-mail addresses, passwords or Ethereum public addresses, were encrypted on our database,” Sentinel Chain CEO and founder Roy Lai wrote. “However, a vulnerability on our registration site had allowed some of the uploaded files to be accessed by another registered user.”

Included in those images that were made accessible to other registered users were passport photos and other pieces of identifying information. While Sentinel Chain didn’t release how many users registered—and how many could access the leaked information—the company reported over 1,000 applications in the first 10 minutes of open registration.

According to Sentinel Chain, 15 registered participants used the vulnerability to gain unauthorized access to the leaked user information. It is unclear if those attempts were done maliciously. Twenty-one investors were affected by the security bug and reportedly been contacted by Sentinel Chain about the incident.

One of the 15 users who accessed appeared to only do so to report to Sentinel Chain that the exploit was available. The company confirmed in its blog post that it was alerted by one of its users of the vulnerability, which led to the temporary shutdown of the ICO.

Despite this, that user appears to have been turned over to law enforcement. A user posting on Reddit and claiming to be the one who reported the vulnerability said shortly after informing the company of the issue, they received notice that the police had been informed of the illegal access of information.

“A couple hours later I received an e-mail from InfoCorp, the company that owns Sentinel Chain saying that they have notified the relevant authorities and that they are in consultation with their legal advisors on pursuing such unauthorized access to the maximum extent permitted at law including under the Computer Misuse and Cybersecurity Act (Chapter 50A),” the Reddit user said. “As a thank you for reporting the vurnability [sic] I got a police investigation.”

Sentinel Chain announced Wednesday it would once again open its ICO and resume registration starting Feb. 10. If the incident is enough for potential investors to be scared off from the company that plans to “provide affordable and secure financial services to the unbanked” is yet to be seen.