Mexican Tourist Company Leaks Credit Cards and Passports

Businessman calculating and checking articles of agreement

Over 88,000 could be at risk due to accidental open access to tax refund company database.

Travelers who have used MoneyBack to receive a tax refund on purchases in Mexico could have their personal data compromised, including credit card numbers and passport scans. MacKeeper Security Center reports the data breach was due to a misconfigured database that allowed for public access.

MoneyBack is a tax refund program extended to foreign travelers to encourage spending while in Mexico. To qualify, travelers must register at an airport or cruise terminal after entering the country, spend at least $67 and provide identifying data including passports, credit card information, receipts and travel information.

The breach was discovered by Kromtech Security Researchers during a routine website audit. In reviewing data, researchers discovered that the databases were accessible through internet browsers to individuals who knew where the data was located. No passwords or other authentication was required to see the sensitive information.

Although travel to the Central American nation is common for American travelers, those who reside in the United States were not the only ones affected. The database contained over 450,000 scanned documents and over 88,000 unique passport numbers, spanning over 300 gigabytes. Data was collected between 2015 and May 2017 from travelers all over the world, including those from Canada, Italy and across South America.

While the security breach has been fixed, MoneyBack has not publically commented on the situation. It is unknown just how many identities could be at risk, or how the company will help those who have their data stolen through the open access.

According to MacKeeper, this type of open data access is a common problem for the server type. Their data suggests up to 10 percent of similar servers were targeted for malware and ransomware attacks.

[Photo: Shutterstock]