Content

PayMyTab database leaked PII on diners

An exposed database belonging to PayMyTab leaked PII on customers who dined at restaurants using the mobile payment system.

An anonymous third party discovered the open AWS S3 bucket and brought it to the attention of researchers at vpnMonitor through Helen Foster, a partner at the Davis Wright Tremaine law firm in Washington.

“This leak represents a failure in basic data security by PayMyTab and, in turn, makes 10,000s of people vulnerable to online fraud and attacks,” according to a blog post from the vpnMonitor research team led by Noam Rotem and Ran Locar.

Calling the data leak “a prime example of how S3 buckets are often overused and disregarded," Dean Sysman, CEO and co-founder at Axonius, said, "Because it's so easy to back up mass amounts of data to these storage buckets, IT teams tend to not inspect what they're backing up and don't understand who has access to this data.”

The exposed S3 bucket is home to records of customers of restaurants that use PayMyTab and who chose to have their payment receipts emailed to them. “If they clicked a link to view the receipt, their PII was exposed to anybody with access to the S3 bucket database,” the researchers said. Information exposed included names, email addresses, phone numbers, the last four digits of payment card numbers, order details and other information about the customer’s restaurant visit, such as restaurant name and location as well as time and date of the meal.

“This latest cyber incident illustrates how security issues can extend to businesses’ supply chain. In this case, the personal information of restaurant customers was exposed through PayMyTab’s unsecured AWS bucket,” said Elad Shapira, head of research at Panorays. “Having the correct security measures in place could have prevented this from occurring. When a business relationship is formed, security – a major form of risk – must be taken into consideration.”

Shapira called on businesses to “vet their partners from a security perspective, checking their security posture, practices and procedures” and “then work with the partner to close any gaps prior to onboarding.”

Even after the partners are onboarded, the companies must continue to monitor them “to avoid any future mishap, as security must be seen as an ongoing process.”

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds