Mexican Tourism Company Leaked Tens of Thousands of Credit Cards and Passports Online

We may earn a commission from links on this page.

Security researchers last month discovered a trove of scanned images depicting the credit cards and passports of more than 88,600 international travelers. It’s unknown for how long the documents, which were secured on Wednesday, had been sitting online, just waiting to be stolen.

Researchers at the Kromtech Security Center say a cache of more than 300GB worth of sensitive records discovered in mid-August is linked to MoneyBack, a company that offers refunds on sales and other value-added taxes on goods purchased by travelers to Mexico.

On a server located in the United States, the company had stored more than 455,000 documents, including scanned images of credit cards, travel receipts, airline tickets, passports, and other government-issued ID cards.


Passports identified by Kromtech belong to citizens of the US, Canada, Argentina, Colombia, and Italy, among many other countries.


To encourage tourism, Mexico is one of several countries offering tax refunds to travelers who spend a minimum amount on goods in the country from participating stores. To qualify, tourists in Mexico must spend at least 1,200 pesos ($67 USD), enter the country by sea or by air from certain airports, and register with MoneyBack at an airport or cruise ship terminal.

To receive a refund on the qualifying taxed goods, MoneyBack requires travelers to cough up a slew of documents containing sensitive information, including boarding passes or cruise IDs for departure, receipts for their purchases along with credit card vouchers, in addition to passports and other immigration forms.


According to Kromtech, MoneyBack stored these records in a database (CouchDB) that was misconfigured, which allowed essentially anyone to access them, even through a web browser. It’s unknown how long the documents were exposed, but Kromtech says metadata on some of the files dates back to late 2015. The most recent records are dated May 2017.

After being alerted to issue, MoneyBack quickly secured the database, closing off a port (5984) that enabled public access. The company did not reply to Kromtech’s emails, however, nor has it responded to a request for comment from Gizmodo.


“Cyber criminals could have all of the information they would need to commit identity fraud or use the hundreds of thousands of credit card numbers that were in the database,” said Alex Kernishniuk, Kromtech’s VP of strategic alliances. “This is once again a warning to companies or organizations who collect sensitive data to take every possible step to ensure that proper data security measures are used.”

Added Kernishniuk: “Time and time again simple human errors that could be easily avoided expose sensitive data on the internet. It is unclear if anyone other than security researchers accessed the data or how MoneyBack will notify their customers around the globe that their data has been exposed.”


Late last week, Kromtech’s researchers discovered and helped secure more than 4 million records containing the personal details of Time Warner Cable (TWC) customers, which had been improperly stored on an Amazon S3 bucket without the protection of a password.