Tourists that visited Mexico in the past year, and applied for a tax refund on goods purchased while there, may have had their personal information exposed.
According to security researchers, a database containing over 455,000 documents – including scanned passports, identification cards, credit cards, boarding passes and travel tickets – was left open to the Internet.
Amounting to roughly 400GB, the trove of data was linked to MoneyBack, a Mexico City-based tax refund service provider for international travelers in Mexico.
Researchers at Kromtech said they discovered the misconfigured CouchDB database during a routine security audit:
“Although MoneyBack is based in Mexico, the hosting and IP address is located in the United States. The database was publicly accessible and required no password protection or other authentication to view or download MoneyBack’s entire repository.”
The data leak is believed to affect every MoneyBack client that used its services between 2016 and 2017, said Kromtech. Among the 88,623 passports in the database, most belonged to citizens of the US, Canada, Argentina, Colombia and Italy.
Alex Kernishniuk, VP of strategic alliances at Kromtech, warns that cyber criminals could have all of the information necessary to commit identity fraud, or use the hundreds of thousands of credit card numbers stored in the database.
“This is once again a warning to companies or organizations who collect sensitive data to take every possible step to ensure that proper data security measures are used. Time and time again, simple human errors that could be easily avoided expose sensitive data on the internet,” said Kernishniuk.
As of this writing, it is unclear whether the data was accessed by anyone other than the security researchers.
The incident follows several other recent high-profile breaches, including the instance in which data firm Deep Root Analytics exposed the sensitive information of 198 million American voters. Major companies like Verizon and Dow Jones also inadvertently leaked millions of customer records as a result of a simple misconfiguration.
Tripwire’s Chief Technology Officer David Meltzer reminds organizations that many misconfigurations can be easy to correct:
“Secure configuration management (SCM) is the control that assures systems are set up and maintained in a way that minimizes risk while still providing the essential business function of the system. Maintaining configurations is so vital to an organization’s data integrity that just about every security framework and compliance regulation related to security calls for SCM,” says Meltzer.