Cashless toll payments end with massive data leak


Nearly a million Colombians and businesses were affected after the GoPass payment app exposed drivers’ sensitive data to anyone on the internet.

The Cybernews research team has discovered that the sensitive data of Colombian citizens was leaked by the Colombian paytech company GoPass, which left a Google Cloud Storage bucket open and accessible to anyone on the internet.

The company offers an all-in-one solution to pay for road services. With GoPass, drivers can make cashless toll payments, pay at gas stations, car washes, and parking lots, settle fines, or access roadside assistance.

ADVERTISEMENT

In the first half of 2023, the app served 350,000 cars and trucks and processed six million transactions. It also secured $15M in series A funding from Brazilian venture capital firm Kaszek Ventures.

The discovered storage bucket, most likely used for payment app purposes contained over 800,000 sensitive documents with drivers' transaction data. It’s still unknown how long it remained exposed.

What was leaked:

  • Vehicle license plate numbers
  • Número de Identificación Tributaria (NIT) – a tax payer ID, or Número Único de Identificación Personal (NUIP) – a Unique Personal Identity Number
  • Date and time of transactions
  • Price paid
  • Phone number
  • Full name or business name
  • Email address
  • City
  • Country

A data leak of this kind not only carries reputational risks for the company but also poses an actual threat to the users. With 800,000 people and businesses affected, criminals could use the handful of leaked vehicle license plate numbers to create clones, making it easier to commit crimes like toll evasion or drive stolen cars without being caught.

“Personal Identification numbers, together with license plate numbers, could be abused to gather further information about the vehicle and the driver from Colombia's RUNT system,“ our researchers said.

“This would allow threat actors to find the exact combination of make, model, and color of the vehicle to make an almost indistinguishable clone of the original in the eyes of the government and law enforcement. The only way to distinguish between the original and the fake car would be the VIN number, but for that, the vehicle would need to be pulled over and inspected.”

go pass leak
Source: Cybernews
ADVERTISEMENT

The risk becomes even greater when personal identification numbers are leaked alongside transactional data, as this can fuel a wide range of malicious activities.

Having a personal identification number (NUIP or NIT), especially when combined with other personal information, could enable threat actors to open bank accounts, apply for loans in the victim's name, or engage in other forms of financial fraud.

Leaked data could also be used for targeted phishing and social engineering campaigns, to extract further sensitive information and cause more damage.

Cybernews contacted the company, and the open instance was quickly closed. An official comment has yet to be received.