Letter to the Sentinel Chain community. CEO Roy Lai on the KYC Registration Incident
I have always said that we should be transparent — whether it’s to my family, my friends, my team, and especially to the community. Whether it’s good or bad news, I’m going to be honest and transparent.
The Sentinel Chain KYC registration started on 5th February at around 00:05 GMT. This registration was scheduled to be open till 26th February. Within the first 10 minutes of opening the registration, we received over 1,000 applications.
At around 00:15 GMT, one of our registered Sentinel participants notified us of the vulnerability on our website.
All personal information submitted such as e-mail addresses, passwords or Ethereum public addresses, were encrypted on our database. However, a vulnerability on our registration site had allowed some of the uploaded files to be accessed by another registered user.
Upon that discovery, we promptly took our server offline. As soon as it became evident and we were certain that sensitive identification information could have been exposed, we notified the community immediately.
Due to the sensitivity of the situation, our first priority was mitigation and containment, followed immediately by conducting an investigation to determine the scope of the matter.
Shortly after, our forensic data team identified the 15 registered participants who had gained the unauthorised access. After our thorough investigations, we can confirm that this incident was an unintentional and accidental discovery. We have gained their compliance and co-operation to destroy the files. We have no evidence to suggest that this was a malicious attack.
As required by law and on the advice of our legal advisors, we also have notified the relevant authorities, government and law enforcement agencies.
At the same time, the team identified the 21 registered participants who have been affected by the incident. Over the past couple of days, I have been personally reaching out to them to assure them that we are taking all necessary steps to protect their personal information.
Protecting all our Sentinel supporters’ personal data is our absolute priority.
Since the incident, we have been working tirelessly to improve our security systems and processes. We have been conducting a thorough review of our registration site and have taken all the necessary steps to improve the protection of your data. Our professional security firm is currently conducting a comprehensive security review. I am also very thankful that several security experts in our Sentinel community have approached me to volunteer their services. We are currently in the midst of conducting several iterations of penetration testing on our registration site.
I understand the community is still eager to submit their Proof-of-Support. Your support for Sentinel Chain now takes on a deeper meaning than before. Your Proof-of-Support means that you have the trust and confidence in Sentinel Chain and the value it will bring to the unbanked community.
We will resume our KYC registration on 10th February at 00:00 GMT. We will be publishing the FAQ to assist with your registration process.
This incident has taught me the importance of community spirit and I am truly humbled by all the messages of encouragement and well-wishes from the supporters of Sentinel Chain. In spite of this unfortunate incident, our Sentinel community are even more committed to support the success of our shared mission towards financial inclusion.