The claimed annal of PayMyTab barter have been left apparent online due to an apart Amazon data accumulator bucket.

According to cybersecurity aggregation vpnMentor, the database was brought to its absorption via Helen Foster, a accomplice at Davis Wright Tremain, who shared the allegation alone with TNW.

PayMyTab — an at-table acquittal system — is a mobile app and device that enables diners to settle their checks using their secure EMV chip-enabled credit card. It also enables guests to split the bill and pay it, tip included, anon from their own phones.

The leaked claimed advice included the afterward details:

  • Customer’s name
  • Email abode or cell blast number
  • Last 4 digits of the acquittal card number
  • The meal items ordered
  • The date, time, location, and the name of the restaurant visited

vpnMentor said it was alerted to the data leak on October 18, after which the advisers accomplished out to PayMyTab and Amazon to plug the aegis lapse on November 5.


As a result, any chump who used PayMyTab to pay for their meals amid July 2, 2018 to early November of this year could have had the above capacity apparent this way.

We’ve accomplished out to PayMyTab for added details, and we’ll update the story if we hear back.

“The S3 bucket independent abundant annal of any chump at a restaurant using PayMyTab, who had chosen to have their cancellation emailed to them after a meal,” vpnMentor stated. “By accouterment their email address, they could view their cancellation online from their email inbox.”

Over the years, Amazon’s Simple Accumulator Annual (aka S3) has become a accepted data accumulator band-aid that comes as part of Amazon Web Services (AWS) cloud hosting service. It’s also led to a spike in the number of aegis incidents where businesses have left S3 servers accidentally apparent online, aperture clandestine advice in the process.

While the database accumulator bucket may have been anchored now, the achievability that abyss could use the apparent chump advice to stage a array of spearphishing attacks still remains.

Businesses, for their part, need to assure their servers and apparatus proper access controls in place to anticipate such attacks in the future. It’s worth pointing out that Amazon rolled out a new aegis affection to AWS annual owners last year absolutely meant to avoid such adventitious data exposures caused by the misconfiguration of S3 data accumulator buckets.

This is not the first time that vpnMentor has apparent databases and servers left wide-open to the public. The aggregation has ahead appear a massive data breach impacting Ecuadorian citizens, Chinese e-commerce firm Gearbest, and a hotel catch system used by resorts to manage web bookings.

It goes after saying that database leaks of this kind have huge aegis ramifications, including accouterment hackers easy access to acute information, thereby confined as a springboard for ascent other kinds of phishing exploits.

Read next: A German airline just flew 3 execs captivation blockchain tickets