An exposed database belonging to PayMyTab leaked PII on customers who dined at restaurants using the mobile payment system.
An anonymous third party discovered the open AWS S3 bucket and brought it to the attention of researchers at vpnMonitor through Helen Foster, a partner at the Davis Wright Tremaine law firm in Washington.
“This leak represents a failure in basic data security by PayMyTab and, in turn, makes 10,000s of people vulnerable to online fraud and attacks,” according to a blog post from the vpnMonitor research team led by Noam Rotem and Ran Locar.
Calling the data leak “a prime example of how S3 buckets are often overused and disregarded,” Dean Sysman, CEO and co-founder at Axonius, said, “Because it’s so easy to back up mass amounts of data to these storage buckets, IT teams tend to not inspect what they’re backing up and don’t understand who has access to this data.”
The exposed S3 bucket is home to records of customers of restaurants that use PayMyTab and who chose to have their payment receipts emailed to them. “If they clicked a link to view the receipt, their PII was exposed to anybody with access to the S3 bucket database,” the researchers said. Information exposed included names, email addresses, phone numbers, the last four digits of payment card numbers, order details and other information about the customer’s restaurant visit, such as restaurant name and location as well as time and date of the meal.
“This latest cyber incident illustrates how security issues can extend to businesses’ supply chain. In this case, the personal information of restaurant customers was exposed through PayMyTab’s unsecured AWS bucket,” said Elad Shapira, head of research at Panorays. “Having the correct security measures in place could have prevented this from occurring. When a business relationship is formed, security – a major form of risk – must be taken into consideration.”
Shapira called on businesses to “vet their partners from a security perspective, checking their security posture, practices and procedures” and “then work with the partner to close any gaps prior to onboarding.”
Even after the partners are onboarded, the companies must continue to monitor them “to avoid any future mishap, as security must be seen as an ongoing process.”