On March 14, 2025, Regtech Sumsub, a firm specializing in identity verification and anti-fraud solutions, issued a statement regarding a security incident involving Merkur AG, a prominent German company.
At Sumsub, they claim that security is their top priority, and they take all reports of potential vulnerabilities seriously.
Sumsub noted in a blog post that after a thorough investigation, they confirm that there have been “no data leaks or breaches on Sumsub’s side.”
The security incident in question was reportedly “caused externally by a third-party integrator used by our customer.”
According to Sumsub’s blog post, the client’s access credentials to the system became “publicly available due to the integrator’s negligence.”
More specifically, “an API misconfiguration flaw in the authentication process created by this integrator exposed Sumsub’s API tokens intended for user authentication.”
This misconfiguration in the “external integration, in turn, enabled unauthorized access to user data through the API. ”
Therefore the security failure pointed out by the reporter, Lilith Wittmann, was entirely “related to a third-party integration and was beyond Sumsub’s reasonable control.”
Importantly, Sumsub’s systems were “not compromised, as the unauthorized actor was using legitimate API credentials to make requests identical to those of regular users.”
The root cause of this incident was “created when their customer’s integrator made possible the exposure of user access tokens in verification links, which is comparable to publicly sharing private login credentials.”
Upon becoming aware that an unauthorized actor—later identified as Ms. Wittmann—had gained access to the client’s data, they claim to “have promptly contacted the customer with instructions on how to prevent any further exposure.”
Additionally, in advance of the publication, they “proactively reached out to Ms. Wittmann to conduct further investigation.”
Nevertheless, they claim to take this matter with the “utmost seriousness and will continue to enforce the highest security standards, working closely with our partners to prevent vulnerabilities and ensure robust protective measures are always in place.”
Their goal is to eliminate “any chance of a data leak to the maximum possible extent, period, even where the risk is not due to any oversight attributable to Sumsub.”
This event highlights the importance of maintaining a high level of security in a digital economy where cyberthreats evolve constantly.
As businesses increasingly rely on Regtech solutions like Sumsub’s to verify identities, combat fraud, and ensure compliance, the stakes for data protection have never been higher.
The global cost of cybercrime is projected to reach $10.5 trillion annually by 2025, driven by phishing, ransomware, and supply-chain attacks.
For Regtech firms, which process sensitive personal and financial data, a breach can erode trust, trigger regulatory penalties, and disrupt client ecosystems.
Sumsub’s response exemplifies how monitoring and transparency can mitigate damage, and it also serves as a wake-up call for the industry.
Competitors like Trulioo and Jumio face similar pressures, with Trulioo recently enhancing its encryption protocols and Jumio touting its biometric authentication advancements.
Sumsub’s edge lies in its AI-powered fraud detection, which identifies 2 million fraudsters in its database, yet this incident reveals that even advanced systems aren’t immune to human-centric exploits like phishing.
The broader Regtech sector must prioritize resilience, as clients—spanning fintech, crypto, and e-commerce—demand uninterrupted security amid rising digital adoption.
In a landscape where 91.64% of U.S. users pass Sumsub’s verification in under 50 seconds, speed must not compromise safety.
The Merkur AG incident reinforces that maintaining high security standards is paramount, protecting not just data but the vital trust that underpins the digital economy’s growth. Bad actors are now increasingly using AI to launch malicious attacks and Regtech firms like Sumsub need to constantly improve their products to address the rise in cyberthreats.