Mexican tax refund firm MoneyBack leaks thousands of passports and credit cards

Identification and travel documents, including passports, driving licenses, and boarding passes, of recent visitors to Mexico have been exposed by a security lapse.

Tens of thousands of passports were found in the exposed database. (Image: file photo)

If you traveled to Mexico in the past year and applied for a tax refund on goods you bought while visiting, there's a good chance your personal data has been exposed.

READ MORE ON CNET EN ESPAÑOL

More than 455,000 scanned documents, including passports, identification cards, credit cards, and travel tickets and boarding passes, were stored in an unsecured database owned by MoneyBack, a Mexico City-based tax refund service.

The database contained hundreds of gigabytes worth of records on what's thought to be "every client" who used the service in the past year, according to security researchers at the Kromtech Security Research Center, who discovered the exposed database.

The data was stored in a misconfigured CouchDB database, which was accessible to anyone with a web browser -- no password needed -- until Tuesday when the data was secured.

According to Kromtech, most of the 88,623 unique passports found in the database were from the US, Canada, Argentina, Colombia, and several European countries.

passport-cards-cnet-2.jpg

(Image: supplied)

Many of the scans also included front and back images of credit cards used to verify purchases, which if viewed could be used by thieves to make unauthorized purchases.

MoneyBack is one of the few companies that handle tax refund spaces for tourists visiting Mexico. The company allows visitors and tourists who spend $1,200 pesos ($65 US dollars) or more to claim back tax paid on purchases of luxury items and goods in more than 6,000 affiliated stores in the country. In order to obtain their tax refund, the purchaser has to upload their personal information, such as their passport and credit card, for verification. In return, MoneyBack takes a cut of the refund.

Kromtech's Alex Kernishniuk said that it wasn't known if anyone beyond the company's own security researchers accessed the data. The researchers noted that the database had not been locked by ransomware, unlike thousands of other equally unprotected databases which have fallen victim to hackers.

"This is once again a warning to companies or organizations who collect sensitive data to take every possible step to ensure that proper data security measures are used," said Kernishniuk.

MoneyBack did not return a request for comment.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All