Mexican tax refund MoneyBack site exposed 400GB of sensitive customer data

Experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed 400GB of sensitive information.

Another huge data leak made the headlines, experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed sensitive customer information online. because of a misconfigured database.

Kromtech discovered the unsecured CouchDB during a routine security audit.

The Mexican VAT refund site MoneyBack is used by tourists that applied for a tax refund on the money they have spent in the country while shopping there.

The data leak was the result of a misconfigured Apache CouchDB database containing roughly 500,000 customers’ passport details, credit card numbers, travel tickets.

“The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible.” reads the analysis published by Kromtech.

“The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.

Moneyback is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.”

The experts discovered more than 400GB of sensitive data left open accessible online, the huge trove of information includes 455,038 scanned documents (Passports, IDs, Credit Cards, Travel Tickets & More) and 88,623 unique passport numbers registered or scanned.

The experts identified passports from all over the world, mostly belonging to citizens from the US, Canada, Argentina, Colombia, and Italy that used the services between 2016 and 2017.

Which are the risks related to the exposure of such kind of data?

“Cyber criminals could have all of the information they would need to commit identity fraud or use the hundreds of thousands of credit card numbers that were in the database.” states Alex Kernishniuk, VP of strategic alliances, Kromtech.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MoneyBack, DataLeak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.