Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Mexican tax refund site left 400GB of sensitive customer info wide open

Tourists' passport details and credit card numbers exposed

John Leyden Fri 8 Sep 2017  //  17:58 UTC

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database.

A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.

The data includes 455,038 scanned documents, including 88,623 unique passport numbers, related to people who were claiming a tax refund for goods purchased south of the border. Passports identified included those held by citizens of the US, Canada, Argentina, Colombia, Italy, and many more. Data from 2016 and 2017 featured in the exposure.

Kromtech discovered a misconfigured CouchDB that allowed public access to the data during a routine security audit.

El Reg approached MoneyBack for comment but we're yet to hear back. ®
Send us news
5 Comments

185K people's sensitive data in the pits after ransomware raid on Cherry Health

Extent of information seized will be a concern for those affected

Over a million Neighbourhood Watch members exposed through web app bug

Unverified users could scoop up data on high-value individuals without any form of verification process

Lawsuit accuses Grindr of illegally sharing users' HIV status

LGBTQ+ dating app's maker previously denied selling sensitive user data

Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals

It’s the second time the World-Check list has fallen into the wrong hands

US House approves FISA renewal – warrantless surveillance and all

PLUS: Chinese chipmaker Nexperia attacked; A Microsoft-signed backdoor; CISA starts scanning your malware; and more

Pandabuy confirms crooks nabbed data on 1.3M punters

Nothing says 'sorry' like 10 percent off shipping for a month

Global taxi software vendor exposes details of nearly 300K across UK and Ireland

High-profile individuals including MPs said to be caught up in leak

SharePoint logs are easily circumvented and Microsoft is dragging its heels

Now is the perfect time to review those permissions

Puppies, kittens, data at risk after 'cyber incident' at veterinary giant

IT systems pulled offline for chance to paws and reflect

Ransomware gang <em>did</em> steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

OWASP server blunder exposes decade of resumes

Irony alerts: Open Web Application Security Project Foundation suffers lapse

Nearly 3M people hit in Harvard Pilgrim healthcare data theft

Also, TheMoon botnet back for EoL SOHO routers, Sellafield to be prosecuted for 'infosec failures', plus critical vulns