Another huge data leak made the headlines, experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed sensitive customer information online. because of a misconfigured database.
Kromtech discovered the unsecured CouchDB during a routine security audit.
The Mexican VAT refund site MoneyBack is used by tourists that applied for a tax refund on the money they have spent in the country while shopping there.
The data leak was the result of a misconfigured Apache CouchDB database containing roughly 500,000 customers’ passport details, credit card numbers, travel tickets.
“The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible.” reads the analysis published by Kromtech.
“The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.
Moneyback is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.”
The experts discovered more than 400GB of sensitive data left open accessible online, the huge trove of information includes 455,038 scanned documents (Passports, IDs, Credit Cards, Travel Tickets & More) and 88,623 unique passport numbers registered or scanned.
The experts identified passports from all over the world, mostly belonging to citizens from the US, Canada, Argentina, Colombia, and Italy that used the services between 2016 and 2017.
Which are the risks related to the exposure of such kind of data?
“Cyber criminals could have all of the information they would need to commit identity fraud or use the hundreds of thousands of credit card numbers that were in the database.” states Alex Kernishniuk, VP of strategic alliances, Kromtech.
(Security Affairs – MoneyBack, DataLeak)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.