Have you travelled to the sandy beaches of Mexico recently? If you have, chances are you might be among the thousands of tourists whose private data was freely exposed to hackers. Critically sensitive and personal information, including credit card data, passports, travel information and more of nearly half a million people was found freely exposed in an unsecured database.
Security researchers discovered that the leaked database was linked to a MoneyBack, a firm that offers tax refunds on purchases to international tourists. The firm has partnered with retail stores across the nation to encourage tourists to shop more in exchange for the tax breaks.
However, MoneyBack appears to have run an insecure database, containing over 400GB of data, all of which could potentially have been easily accessed by hackers. Researchers at Kromtech Security, who discovered the breach, said that the database was not password protected. "Among the top passports identified were citizens of the US, Canada, Argentina, Colombia, Italy, and many more. It appears to be every client that has used their services between 2016 and 2017," Kromtech researchers said in a blog.
The database contained 455,038 scanned documents, which included MoneyBack customers' ID's, credit card information and 88,623 unique passport numbers.
Kromtech Security researcher Bob Diachenko told IBTimes UK that the firm first came across the database in August adding, "but I only reviewed it on September 4th and analyzed the sensitive data to identify MoneyBack.mx behind the exposure."
Diachenko said that the first documents uploaded onto the insecure database date back to 2015, while the most recent uploads date to May 2017. When asked about the possibility of hackers having already accessed the data, Diachenko responded, "The chances are big that anybody could have accessed the data, so if you were traveling to Mexico during that time and claimed your VAT/sales tax back via MoneyBack.mx, then your data would be probably there."
The security expert said that MoneyBack secured the database after it was alerted about the incident. However, it still remains unclear as to how long the data remained freely and publicly available before it was secured. It is also unclear whether MoneyBack has notified customers about the incident. IBTimes UK has reached out to MoneyBack for further clarity on the incident and is awaiting a response.