Researchers from the company Kromtech found in open access database, which includes almost half a million files with personal information of tourists.

Apparently, the database belonged to the travel company MoneyBack, which provides services for tax refund (reimbursement of value added tax or sales tax refund) visitors from other countries in Mexico. MoneyBack is part of the Investment Fund of Mexico.

In total, the database contained approximately 400 GB of data, including 455,038 scanned documents (images of passports, identity cards, credit cards, tickets, etc.. ) as well as 88 623 unique passport numbers.

Data leakage was detected during a security check conducted by Kromtech researchers.

Researchers have identified an incorrectly configured server CouchDB, which allows access to data through a browser. In early 2017, a similar vulnerability led to the fact that 10% of CouchDB servers were victims of attacks using extortion software.

Most of the data belonged to the citizens of the USA, Canada, Argentina, Colombia and Italy, who used the services of MoneyBack. Experts find it difficult to answer how long the information was in public access. Some documents are dated 2015, but most of the records are dated May of this year.