Mexican tax refund MoneyBack site exposed 400GB of sensitive customer data

Share this…

Experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed 400GB of sensitive information.

Another huge data leak made the headlines, experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed sensitive customer information online. because of a misconfigured database.

Kromtech discovered the unsecured CouchDB during a routine security audit.

The Mexican VAT refund site MoneyBack is used by tourists that applied for a tax refund on the money they have spent in the country while shopping there.

The data leak was the result of a misconfigured Apache CouchDB database containing roughly 500,000 customers’ passport details, credit card numbers, travel tickets.

“The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible.” reads the analysis published by Kromtech. 

“The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.

Moneyback is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.”

The experts discovered more than 400GB of sensitive data left open accessible online, the huge trove of information includes 455,038 scanned documents (Passports, IDs, Credit Cards, Travel Tickets & More) and 88,623 unique passport numbers registered or scanned.

MoneyBack mexico

The experts identified passports from all over the world, mostly belonging to citizens from the US, Canada, Argentina, Colombia, and Italy that used the services between 2016 and 2017.

Which are the risks related to the exposure of such kind of data?

“Cyber criminals could have all of the information they would need to commit identity fraud or use the hundreds of thousands of credit card numbers that were in the database.” states Alex Kernishniuk, VP of strategic alliances, Kromtech.