PayMyTab data leak exposes personal information belonging to mobile diners

Data exposure was caused by an open AWS database.

Cybersecurity: How technology can affect your organization's goals Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, talks with Tonya Hall about the various technologies that could be keeping organizations from reaching their cybersecurity goals.

Sensitive and personal information belonging to PayMyTab customers has been exposed due to an open AWS bucket, researchers have revealed. 

On Tuesday, vpnMentor cybersecurity researchers, led by Noam Rotem and Ran Locar, disclosed a data leak in which sensitive Personally Identifiable Information (PII) and partial financial details were made available online. 

The team was tipped off to the existence of an unsecured Amazon Web Services (AWS) S3 bucket, in which PayMyTab "failed to follow Amazon's security protocols" and required authentication to access.  

See also: 700,000 Choice Hotels records leaked in data breach, ransom demanded

The anonymous individual that notified vpnMentor did so in order to "raise awareness" of the security breach and encourage other mobile payment providers to consider security and data protection more seriously. 

PayMyTab works with restaurants to provide mobile and card terminals which also pull in customer data for the purposes of CRM and service improvement. 

However, this information was leaked, including customer names, email addresses, telephone numbers, order details, restaurant visit information -- such as when and where -- as well as the last four digits of customer payment card numbers. 

According to the researchers, starting from July 2, 2018, to November, the bucket was exposed. While no exact figures on the amount of data leaked or the number of customers have been released, vpnMentor says that the leak has left "10,000s of people vulnerable to online fraud and attacks."

CNET: The best password managers for 2019 and how to use them

vpnMentor was made aware of the data leak on 18 October. PayMyTab was contacted on 22 October and 27 October. 

"As ethical hackers, we're obliged to inform a company when we discover flaws in their online security," the researchers say. "This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. PayMyTab users must be aware of a data breach that impacts them also."

ZDNet has reached out to PayMyTab but has not heard back at the time of publication. 

TechRepublic: 82% of SMB execs expect employees to put business devices at risk with holiday shopping

vpnMentor operates a web mapping project in which the discovery of open and unsecured databases are a common occurrence. 

The cybersecurity researchers have previously encountered and disclosed databases leaking the PII of millions of Ecuadorian citizens, millions of user accounts belonging to adult websites, the security logs of major hotel chains, information belonging to US government and military officials, and confidential emails sent between manufacturers and enterprise clients. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0