PayMyTab recently exposed highly sensitive personally identifying information (PII) of consumers across the US that have dined in restaurants that have integrated the platform into their service.

PayMyTab supplies restaurants across the US with card and mobile payment terminals that offer customers and businesses a more streamlined payment process. vpnMentor’s research team, led by Noam Rotem and Ran Locar, were recently informed of a huge lapse in PayMyTab's security. "This leak represents a failure in basic data security by PayMyTab and, in turn, makes 10,000s of people vulnerable to online fraud and attacks," says vpnMentor. 

Example of Entries in the Database

According to vpnMentor, starting from July 2nd, 2018 to the present day, PayMyTab hosted the PII data of consumers on an Amazon Web Services (AWS) S3 bucket – a common form of storage on AWS. While S3 buckets are a popular and safe method of storage, says the research team, PayMyTab had failed to follow Amazon’s security protocols, leaving theirs unsecured. 

"The S3 bucket contained detailed records of any customer at a restaurant using PayMyTab, who had chosen to have their receipt emailed to them after a meal. By providing their email address, they could view their receipt online from their email inbox. If they clicked a link to view the receipt, their PII was exposed to anybody with access to the S3 bucket database," notes the report.

Examples of customer PII data that were viewable included:

  • Customer’s name 
  • Email address or cell telephone number
  • Last 4 digits of the payment card number 
  • Order details (meal items)
  • The date, time, location, and name of the restaurant visited

Read more about the incident by visiting the vpnMentor website.