Sensitive and personal information belonging to PayMyTab customers has been exposed due to an open AWS bucket, researchers have revealed.
On Tuesday, vpnMentor cybersecurity researchers, led by Noam Rotem and Ran Locar, disclosed a data leak in which sensitive Personally Identifiable Information (PII) and partial financial details were made available online.
The team was tipped off to the existence of an unsecured Amazon Web Services (AWS) S3 bucket, in which PayMyTab "failed to follow Amazon's security protocols" and required authentication to access.
The anonymous individual that notified vpnMentor did so in order to "raise awareness" of the security breach and encourage other mobile payment providers to consider security and data protection more seriously.
PayMyTab works with restaurants to provide mobile and card terminals which also pull in customer data for the purposes of CRM and service improvement.
However, this information was leaked, including customer names, email addresses, telephone numbers, order details, restaurant visit information -- such as when and where -- as well as the last four digits of customer payment card numbers.
According to the researchers, starting from July 2, 2018, to November, the bucket was exposed. While no exact figures on the amount of data leaked or the number of customers have been released, vpnMentor says that the leak has left "10,000s of people vulnerable to online fraud and attacks."
vpnMentor was made aware of the data leak on 18 October. PayMyTab was contacted on 22 October and 27 October.
"As ethical hackers, we're obliged to inform a company when we discover flaws in their online security," the researchers say. "This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. PayMyTab users must be aware of a data breach that impacts them also."
ZDNet has reached out to PayMyTab but has not heard back at the time of publication.
vpnMentor operates a web mapping project in which the discovery of open and unsecured databases are a common occurrence.
The cybersecurity researchers have previously encountered and disclosed databases leaking the PII of millions of Ecuadorian citizens, millions of user accounts belonging to adult websites, the security logs of major hotel chains, information belonging to US government and military officials, and confidential emails sent between manufacturers and enterprise clients.
Previous and related coverage
- Macy's suffers online Magecart card-skimming attack, data breach
- Open database leaked 179GB in customer, US government, and military records
- Facebook reveals another privacy breach, this time involving developers
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0