Report: Mobile Payments Provider Leaks Data of US Restaurant Diners Nationwide

vpnMentor’s research team, led by Noam Rotem and Ran Locar, were recently informed of a huge lapse in security by PayMyTab that exposed the data of consumers across the USA.

PayMyTab supplies restaurants across the US with card and mobile payment terminals that offer customers and businesses a more streamlined payment process. 

The exposed database contained highly sensitive Personally Identifying Information (PII) data for customers dining in restaurants that have integrated PayMyTab into their service.

This leak represents a failure in basic data security by PayMyTab and, in turn, makes 10,000s of people vulnerable to online fraud and attacks.

Timeline of Discovery and Owner Reaction

While the party who discovered the data leak has asked to remain anonymous, they brought the issue to our attention via Helen Foster, Partner at Davis Wright Tremaine in Washington, DC.

In doing so, they hoped to bring greater attention to this lapse specifically, and also prompt other companies within the mobile payments industry to invest in better data security in general.

Once our team received a detailed breakdown of the data leak, they investigated further to confirm PayMyTab as the owner of the database and the full extent of the leak.

Understanding a breach and its potential impact takes careful attention and time. Our team needs to be thorough and make sure everything we find is correct and true. Occasionally, the affected businesses deny the facts, disregarding our research or playing down its impact.

In this case, after we contacted PayMyTab to inform them of the data breach and offer our help.

• Date information was presented to us: 18/10/19
• Date vendors contacted: 22/10/19
• Date of 2nd contact attempt (if relevant): 27/10

Example of Entries in the Database

PayMyTab promotes its services as providing consumers with “simplicity and security while paying.”

On its Privacy Policy, PayMyTab states that it:

“maintain[s] appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of [d]ata...”

Based on the data exposed within this leak, these statements are inaccurate at best.

Starting from July 2nd, 2018 to the present day, PayMyTab hosted the PII data of consumers on an Amazon Web Services (AWS) S3 bucket - a common form of storage on AWS. While S3 buckets are a popular and safe method of storage, PayMyTab had failed to follow Amazon’s security protocols, leaving theirs unsecured. 

The S3 bucket contained detailed records of any customer at a restaurant using PayMyTab, who had chosen to have their receipt emailed to them after a meal. By providing their email address, they could view their receipt online from their email inbox.

If they clicked a link to view the receipt, their PII was exposed to anybody with access to the S3 bucket database.

Examples of customer PII data that were viewable included:

• Customer’s name
• Email address or cell telephone number
• Last 4 digits of the payment card number
• Order details (meal items)
• The date, time, location, and name of the restaurant visited

Below is a diner’s receipt, with their email address and PII redacted by us:

Data Breach Impact

This data breach represents a serious lapse in basic security protocol for PayMyTab. By exposing this database, they risked the privacy of customers in their client restaurants, the restaurants themselves, as well as PayMyTab’s entire business.

The exposed customer PII makes those affected vulnerable to many forms of online attack and fraud. 

With the information exposed in this breach, hackers and cybercriminals could start building profiles of potential victims and target them for identity theft or phishing campaigns. The implications for their financial and personal security could be disastrous.

For businesses using PayMyTab, they stand to lose the trust of the customers. Data security is a growing concern for all consumers, regardless of what website, tool, or platform they’re using. If they don't trust a restaurant to protect their data, customers will be less likely to dine there. 

The same trust issues extend to PayMyTab. The S3 bucket database was exposed due to a basic oversight, calling into question their wider data security protocols. Even if they resolve this issue, clients may be reluctant to use PayMyTab in the future.

Finally, even if PayMyTab secures the S3 bucket, the receipts in question could still be exposed (see below why). PayMyTab will need to completely overhaul their data storage to resolve the issue.

Securing an Open S3 Bucket

It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.

In the case of PayMyTab, the quickest way to fix this error is to keep the bucket “public” (so people can still access their receipts via the email link) but remove certain “list” permissions from it. However, this is still not fully effective.

If another hacker had accessed the bucket and downloaded the files within, they would still have access to the consumer data on the receipts. They could use this to undermine any future randomized security measures placed on the bucket.

Without further authentication protocols, this makes bucket vulnerable to brute force attacks that would expose the private data of future consumers. 

To ensure this doesn’t happen, PayMyTab will need to follow AWS access and authentication best practices and add more layers of protection to their S3 bucket, thus restricting who can access it from every point of entry.

Advice from the Experts

PayMyTab could have easily avoided this leak if they had taken some basic security measures to protect the S3 bucket. These measures can be applied to any database and can be replicated by any business:

1. Secure your servers.
2. Implement proper access rules.
3. Never leave a system that doesn’t require authentication open to the internet.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.

For PayMyTab Customers

If you’re a customer of a restaurant using PayMyTab, contact them to ensure they're aware of the breach and how it impacts you.

Concerned about how data vulnerabilities, and cyber-crime in general, might impact you? Read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

We were notified of the breach in PayMyTab’s database as a result of our huge web mapping project looking for database leaks across the internet. 

The individual who uncovered the leak requested that we be informed to increase public awareness. By doing this, we aim to encourage all mobile payment firms to reevaluate their data protection procedures.

The purpose of this web mapping project is to help make the internet safer for all users.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information.

However, these ethics also mean we carry a responsibility to the public. PayMyTab users must be aware of a data breach that impacts them also.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently discovered a huge data breach impacting 80 million US households. We also revealed that a breach in Biostar 2 compromised the biometric data of over 1 million people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

[Publication date: 19.11.2019]