Leading Mexican Tourist Tax Refund Company Leaks Nearly Half a Million Customer Records with Credit Cards, Passport Scans and More OnlineBack to blog
Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible. These tourists traveled from around the world to enjoy Mexico’s beaches, warm weather, historical sites, or cities and had their private data exposed in the process.
The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.
Moneyback is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.
How MoneyBack Works
They have created a network of affiliate stores who offer the tax refund as a type of discount to lower the final purchase price of certain goods tourists buy. These refunds would make sense for luxury jewelry, gold, and diamonds that cost many thousands of dollars. According to MoneyBack’s General Director Danielle Van Der Kwartel “International travelers can receive an 8.9% refund of the total amount they spend when shopping at any of the 6,500 MONEYBACK affiliated stores”. They also claim to provide service in more than 98% of Mexico’s air and maritime points of departure and have 55 offices, airport booths, cruise ports, and shopping mall locations.
MoneyBack works closely with travel agents by providing training on its services to help them promote the tax refunds to their clients traveling to Mexico . It seems to be a profitable business and encourages shoppers to spend more but are customers really saving that much money? Some credit card companies charge 3% foreign transaction fees and it is unclear what fees MoneyBack charges customers or the travel agent commissions. There are some complaints online about the bureaucracy of the Mexican Government taking up to 6 months to disburse refunds. Are the savings worth it?
How The Leak Happened
During a routine security audit, Kromtech Security Researchers discovered a misconfigured CouchDB that allowed public access to the data via browser. Those who follow cybersecurity news may remember that in early 2017 10% of CouchDB servers were victims of ransomware because of the same misconfiguration. Although MoneyBack is based in Mexico the hosting and IP address is located in the United States. The database was publically accessible and required no password protection or other authentication to view or download MoneyBack’s entire repository.
Bob Diachenko, chief security communications officer, Kromtech Security Center:
Improperly storing digital data is one of the biggest threats facing consumers, businesses, and governments. Data can be backed up, copied, reproduced very easily and one small mistake could expose everything as this case has demonstrated. It would seem logical that organizations would have multiple copies of production data in the event of some type of catastrophic event, ransomware, hacking or other threats. However, the same backups that provide a kind of “insurance policy” when recovering from data loss is also the same culprit that makes a data leak more likely. The reality is that the more copies an organization has of their data the higher the likelihood that a leak will occur.
What was leaked and who is affected?
Researchers identified passports from all over the world who used MoneyBack’s services. Among the top passports identified were citizens of the US, Canada, Argentina, Colombia, Italy, and many more. It appears to be every client that has used their services between 2016 and 2017.
Over 300 GB+ database in size
455,038 Scanned Doccuments (Passports, IDs, Credit Cards, Travel Tickets & More)
88,623 unique passport numbers registered or scanned
Mexico has a booming tourism industry despite travel warnings to certain areas, a history of gang violence and kidnappings. It was estimated that the country welcomed a record 35 million international tourists in 2016. Many tourists who will be buying expensive items on their vacation likely love the idea that they can have a portion of the sales taxes returned, but is it worth having your data exposed online?
How Tax Free Shopping in Mexico Works?
Tax free sounds great but their are some restrictions. Tourists must spend at least 1200 pesos ($67 USD) on Mexican goods (this does not apply to services such as hotel stays and food expenses). Tourists must also enter and leave Mexico by sea or air. The minimum purchase per store is 1,200 pesos with electronic payment and cash purchases can not exceed 3,000 pesos ($168 USD). Another issue to consider is that you will have to file yourself with the bureaucracy Mexican Tax Authorities or give your personal information, credit card, and identification to a 3rd party company such as MoneyBack.
Tourists need to shop at an affiliated store with “Tax Free shopping”.
They must ask for an official invoice with the stores tax id number
When tourists leave the airport or by ship there are Tax Free booths, they can visit one of the offices, or several other ways to submit their tax paperwork.
Although they estimate 40 days to receive a refund complaints state up to 6 months.
The Danger of This Data?
Alex Kernishniuk, VP of strategic alliances, Kromtech:
Cyber criminals could have all of the information they would need to commit identity fraud or use the hundreds of thousands of credit card numbers that were in the database. This is once again a warning to companies or organizations who collect sensitive data to take every possible step to ensure that proper data security measures are used. Time and time again simple human errors that could be easily avoided expose sensitive data on the internet. It is unclear if anyone other than security researchers accessed the data or how MoneyBack will notify their customers around the globe that their data has been exposed.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org