PayMyTab Exposes Restaurant Customer Data: ReportResearchers Say Company Left Customer Data Unsecured in AWS S3 Bucket
An unsecure database belonging to PayMyTab, a company that provides U.S. restaurants with mobile payment apps and devices, left payment card and other customer data exposed, according to a new report from two independent security researchers.
The unsecured Amazon Web Services database was discovered by Noam Rotem and Ran Locar, self-described security researchers and hacktivists, according to their Tuesday blog post on the site vpnMentor. The researchers have made a series of blog posts about exposed databases in recent months (see: Investigation Launched After Ecuadorian Records Exposed).
The two researchers say they contacted PayMyTab, which is based in San Francisco, in late October about the data exposure. PayMyTab did not immediately reply to a request for comment on whether the database has been secured.
In their report, Rotem and Locar don't say how large the unsecured database is. But they note that the information it contained could affect "10,000s of people."
The exposed data includes the last four digits of payment card numbers; the customer name, email address and telephone number; the date, time and location of the restaurant visited; and even details about the meal order, according to the blog post.
"This data breach represents a serious lapse in basic security protocol for PayMyTab," the two researchers write. "By exposing this database, they risked the privacy of customers in their client restaurants, the restaurants themselves, as well as PayMyTab’s entire business."
Tracking Security Lapses
As part of an ongoing research project to map the internet, Rotem and Locar have come across numerous databases that have been left unsecured by their owners (see: Unsecure Database Exposed US Military Personnel Data: Report ).
In the case of PayMyTab, however, the two researchers were tipped off by an anonymous source who found this particular AWS Simple Storage Service, or S3, database earlier this year, according to the blog.
The researchers received the tip about the database Oct. 18. They say they contacted PayMyTab on Oct. 22 and Oct. 27, but did not receive an answer.
It's not clear how long this database was left exposed, but the researchers note that PayMyTab first began storing data in an S3 bucket in July 2018. PayMyTab did not follow AWS' protocols for securing this type of cloud-based database, Rotem and Locar claim.
"The S3 bucket contained detailed records of any customer at a restaurant using PayMyTab who had chosen to have their receipt emailed to them after a meal," the researchers write. "By providing their email address, they could view their receipt online from their email inbox. If they clicked a link to view the receipt, their PII was exposed to anybody with access to the S3 bucket database."
One way for PayMyTab to quickly remediate the leak is by keeping the bucket "public" and then removing certain "list" permissions, the two researchers say.
The researchers note, however, that this method is not always effective. If another hacker had accessed the bucket and downloaded the files already, the hacker would still have access to the consumer data on the receipts. The attacker could then use this to undermine any future randomized security measures placed on the bucket, according to the blog.
"To ensure this doesn’t happen, PayMyTab will need to follow AWS access and authentication best practices and add more layers of protection to their S3 bucket, thus restricting who can access it from every point of entry," the researchers write.