[BreachExchange] PayMyTab Exposes Restaurant Customer Data: Report

[Destry Winant]

https://www.databreachtoday.com/paymytab-exposes-restaurant-customer-data-report-a-13425

An unsecure database belonging to PayMyTab, a company that provides
U.S. restaurants with mobile payment apps and devices, left payment
card and other customer data exposed, according to a new report from
two independent security researchers.

The unsecured Amazon Web Services database was discovered by Noam
Rotem and Ran Locar, self-described security researchers and
hacktivists, according to their Tuesday blog post on the site
vpnMentor. The researchers have made a series of blog posts about
exposed databases in recent months (see: Investigation Launched After
Ecuadorian Records Exposed).

The two researchers say they contacted PayMyTab, which is based in San
Francisco, in late October about the data exposure. PayMyTab did not
immediately reply to a request for comment on whether the database has
been secured.

In their report, Rotem and Locar don't say how large the unsecured
database is. But they note that the information it contained could
affect "10,000s of people."

The exposed data includes the last four digits of payment card
numbers; the customer name, email address and telephone number; the
date, time and location of the restaurant visited; and even details
about the meal order, according to the blog post.

"This data breach represents a serious lapse in basic security
protocol for PayMyTab," the two researchers write. "By exposing this
database, they risked the privacy of customers in their client
restaurants, the restaurants themselves, as well as PayMyTab's entire
business."

Tracking Security Lapses

As part of an ongoing research project to map the internet, Rotem and
Locar have come across numerous databases that have been left
unsecured by their owners (see: Unsecure Database Exposed US Military
Personnel Data: Report ).

In the case of PayMyTab, however, the two researchers were tipped off
by an anonymous source who found this particular AWS Simple Storage
Service, or S3, database earlier this year, according to the blog.

The researchers received the tip about the database Oct. 18. They say
they contacted PayMyTab on Oct. 22 and Oct. 27, but did not receive an
answer.

It's not clear how long this database was left exposed, but the
researchers note that PayMyTab first began storing data in an S3
bucket in July 2018. PayMyTab did not follow AWS' protocols for
securing this type of cloud-based database, Rotem and Locar claim.

"The S3 bucket contained detailed records of any customer at a
restaurant using PayMyTab who had chosen to have their receipt emailed
to them after a meal," the researchers write. "By providing their
email address, they could view their receipt online from their email
inbox. If they clicked a link to view the receipt, their PII was
exposed to anybody with access to the S3 bucket database."

Remediation

One way for PayMyTab to quickly remediate the leak is by keeping the
bucket "public" and then removing certain "list" permissions, the two
researchers say.

The researchers note, however, that this method is not always
effective. If another hacker had accessed the bucket and downloaded
the files already, the hacker would still have access to the consumer
data on the receipts. The attacker could then use this to undermine
any future randomized security measures placed on the bucket,
according to the blog.

"To ensure this doesn't happen, PayMyTab will need to follow AWS
access and authentication best practices and add more layers of
protection to their S3 bucket, thus restricting who can access it from
every point of entry," the researchers write.