Mexican tax refund site left 400GB of sensitive customer info wide open

Tourists' passport details and credit card numbers exposed

open_door_648

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database.

A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.

The data includes 455,038 scanned documents, including 88,623 unique passport numbers, related to people who were claiming a tax refund for goods purchased south of the border. Passports identified included those held by citizens of the US, Canada, Argentina, Colombia, Italy, and many more. Data from 2016 and 2017 featured in the exposure.

Kromtech discovered a misconfigured CouchDB that allowed public access to the data during a routine security audit.

El Reg approached MoneyBack for comment but we're yet to hear back. ®


Biting the hand that feeds IT © 1998–2017