PayMyTab Exposes Data of US Restaurant Goers

Written by

A mobile payments provider exposed the data of thousands of US restaurant goers for 16 months by failing to follow security protocols. 

PayMyTab didn't change the security settings to "private" on an Amazon Web Services (AWS) S3 bucket that the company has been using to store customer data since July 2, 2018.

Data exposed included personally identifying information (PII) of customers who had paid for restaurant meals using the PayMyTab service, then requested that a receipt be emailed or texted to them. 

When a customer clicked on the link to view their receipt, anyone with access to the S3 bucket database could view the customer's name, email address, or phone number and the last four digits from the payment card. 

Virtual onlookers could also view an interesting snapshot of what the customer had eaten, where they had eaten, and the time and date of their dining experience. 

PayMyTab markets itself as a service that provides consumers with "simplicity and security while paying," and claims in its privacy policy to "maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of data."

Those claims were proved false when the data breach was presented to vpnMentor on October 18 by Helen Foster, partner at Davis Wright Tremaine in Washington, DC. Foster learned of the leak from a source who wishes to remain anonymous.

vpnMentor contacted PayMyTab on October 22 and again on October 27 to inform them of the breach.   

"This data breach represents a serious lapse in basic security protocol for PayMyTab. By exposing this database, they risked the privacy of customers in their client restaurants, the restaurants themselves, as well as PayMyTab’s entire business. 

"The exposed customer PII makes those affected vulnerable to many forms of online attack and fraud," wrote vpnMentor researchers. 

"With the information exposed in this breach, hackers and cybercriminals could start building profiles of potential victims and target them for identity theft or phishing campaigns. The implications for their financial and personal security could be disastrous."

This callous security SNAFU, which could have so easily been prevented, may prove difficult to fix, according to vpnMentor researchers. 

They wrote: "Even if PayMyTab secures the S3 bucket, the receipts in question could still be exposed. PayMyTab will need to completely overhaul their data storage to resolve the issue."

Researchers warned that a hacker who accessed the bucket could have already downloaded the files, which they could then use to undermine any future randomized security measures placed on the bucket.

What’s hot on Infosecurity Magazine?