Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

PayMyTab Exposes Data of US Restaurant Goers

A mobile payments provider exposed the data of thousands of US restaurant goers for 16 months by failing to follow security protocols. 

PayMyTab didn't change the security settings to "private" on an Amazon Web Services (AWS) S3 bucket that the company has been using to store customer data since July 2, 2018.

Data exposed included personally identifying information (PII) of customers who had paid for restaurant meals using the PayMyTab service, then requested that a receipt be emailed or texted to them. 

When a customer clicked on the link to view their receipt, anyone with access to the S3 bucket database could view the customer's name, email address, or phone number and the last four digits from the payment card. 

Virtual onlookers could also view an interesting snapshot of what the customer had eaten, where they had eaten, and the time and date of their dining experience. 

PayMyTab markets itself as a service that provides consumers with "simplicity and security while paying," and claims in its privacy policy to "maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of data."

Those claims were proved false when the data breach was presented to vpnMentor on October 18 by Helen Foster, partner at Davis Wright Tremaine in Washington, DC. Foster learned of the leak from a source who wishes to remain anonymous.

vpnMentor contacted PayMyTab on October 22 and again on October 27 to inform them of the breach.   

"This data breach represents a serious lapse in basic security protocol for PayMyTab. By exposing this database, they risked the privacy of customers in their client restaurants, the restaurants themselves, as well as PayMyTab’s entire business. 

"The exposed customer PII makes those affected vulnerable to many forms of online attack and fraud," wrote vpnMentor researchers. 

"With the information exposed in this breach, hackers and cybercriminals could start building profiles of potential victims and target them for identity theft or phishing campaigns. The implications for their financial and personal security could be disastrous."

This callous security SNAFU, which could have so easily been prevented, may prove difficult to fix, according to vpnMentor researchers. 

They wrote: "Even if PayMyTab secures the S3 bucket, the receipts in question could still be exposed. PayMyTab will need to completely overhaul their data storage to resolve the issue."

Researchers warned that a hacker who accessed the bucket could have already downloaded the files, which they could then use to undermine any future randomized security measures placed on the bucket.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Office 365 Admins Singled Out in Phishing Campaign

2
News

Hacked Disney+ Accounts on Sale for $1

3
News

Macy’s Online Customers Hit by Magecart Breach

4
News

Gamers Exposed After Wizards of the Coast Data Leak

5
News

Governments Lose Millions to DNS Attacks Each Year

6
News

Louisiana Servers Down After Another Ransomware Blitz

1
News

Windy City to Welcome 2,000 New Jobs in Cybersecurity and Technology

2
News

Only 12.5% of Top US Retailers Protect Customers from Email Fraud

3
News

PayMyTab Exposes Data of US Restaurant Goers

4
News

Governments Lose Millions to DNS Attacks Each Year

5
News

Macy’s Online Customers Hit by Magecart Breach

6
News

Louisiana Servers Down After Another Ransomware Blitz

1
Webinar

Make Privileged Access Admin Work and Block Lateral Movement by Attackers

2
Webinar

How Segmentation Leads to Visibility and Enables Compliance

3
Webinar

Identifying and Defending Against Advanced and Automated Attacks

4
Webinar

Are You At Risk? Know Your Cybersecurity Posture With Security Ratings

5
Webinar

Zero Trust in Practice: Why Identity Drives Next-Gen Access

6
Webinar

The Insider's Motive: Defending Against the 7 Most Common Insider Threats

1
Opinion

The Catch 22 Scenario for GDPR

2
Interview

Life Of: A Wi-Fi Security Researcher

3
News

Boom in Lookalike Retail Domains

4
Next-Gen

Are Communication and Presentation Skills Taught or Encouraged to an Acceptable Level?

5
News

Capture the Flag Competition Aims to Trace Missing Persons

6
News

UK Government Brexit App Riddled with Security Issues