Mexican VAT Refund Giant Exposes Half-Million Passports, Credit Cards Online

If you’ve ever gone on holiday to Mexico and done a little shopping, then you know you can apply for a value-added tax (VAT) refund on the goods you’re taking back home. Unfortunately, one of the largest companies that does that, the appropriately named MoneyBack, has laid open its users’ information to bad actors.

According to the Kromtech Security Research Center, MoneyBack has fallen prey to the all too common mistake of leaving a misconfigured database open to the public web (it has since been secured). The CouchDB database contains passport information, credit card numbers, travel tickets and various other credentials for nearly a half-million customers, all of which was left accessible to anyone that stumbled across it.

Kromtech said that the potentially leaked data totals more than 400GB—none of which required password protection or other authentication to view or download. The information could be used to commit identity fraud or craft spearphishing gambits; or, the credit card numbers could be sold or used for fraudulent purchases.

Chances are that tourists who have visited south of the border and applied for a VAT refund in the last year could be impacted: MoneyBack is pretty much everywhere in Mexico. The company’s general director, Danielle Van Der Kwartel, told the firm that there are 6,500 MONEYBACK affiliated stores; and, they provide service in more than 98% of Mexico’s airports and cruise ship docking points, plus offices and shopping mall locations.

The data includes 455,038 scanned documents, including 88,623 unique passport numbers. Researchers identified impacted passports from the US, Canada, Argentina, Colombia, Italy and elsewhere around the globe—the analysis suggests that every client that has used MoneyBack services between 2016 and 2017 was exposed.

“Improperly storing digital data is one of the biggest threats facing consumers, businesses and governments,” said Bob Diachenko, chief security communications officer at Kromtech, in a post. “Data can be backed up, copied, reproduced very easily, and one small mistake could expose everything as this case has demonstrated. It would seem logical that organizations would have multiple copies of production data in the event of some type of catastrophic event, ransomware, hacking or other threats. However, the same backups that provide a kind of “insurance policy” when recovering from data loss is also the same culprit that makes a data leak more likely. The reality is that the more copies an organization has of their data the higher the likelihood that a leak will occur.”

He added that in early 2017, 10% of CouchDB servers were victims of ransomware because of the same misconfiguration.

"This is not the first time, and will certainly not be the last, that we hear about sensitive information being exposed by an organization that is entrusted with it,” said Zohar Alon, co-founder and CEO, Dome9. “Operator error and lax security practices are the leading cause of security breaches and data leaks in the public cloud. As the value of data in the cloud grows, the monetary and reputation impact of such incidents will increase."

What’s Hot on Infosecurity Magazine?