Security Strategy, Plan, Budget

14 million customer records exposed in GovPayNow leak

GovPayNow.com, a payment system used by thousands of federal and state government agencies in the U.S. and recently acquired by Securus Technologies, has leaked 14 million customer records.

Information exposed includes the last four digits of payment cards, names, phone numbers and addresses, according to Brian Krebs, who discovered the leak.

Anyone could view the information by changing the digits in the URL of an online receipt that the service gives users when they pay parking citations, fines or make other financial transactions.

“GovPayNet [which is doing business as GovPayNow] has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” according to a company statement sent to KrebsOnSecurity, which also said there was no “indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction.”

Noting that most of the information exposed “is a matter of public record that may be accessed through other means,” the company said. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their receipts.”

Calling the breach at the Indianapolis-based company “fairly minor” compared to others over the last year, Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said, "Online payment providers, especially those doing business with the government, should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them.”

Bilogorskiy also recommended, to “avoid information disclosure and directory traversal issues,” that companies deny “anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories."

Pravin Kothari, CEO of CipherCloud, noted the security incident - which exposed data from as far back as 2012 - isn’t the first for Securus, which bought the company in January.

“Securus has had other issues with cybersecurity over the past few years including the misuse of a service that tracked convicted felons' cellphones, hackers penetrating this same system and subsequently stealing logins and legitimate credentials, and finally another flaw in May that allowed unauthorized access to accounts by guessing answers to the security questions,” he explained.

In the spring, a hacker swiped 2,800 logins and passwords from Securus, on the heels of Sen. Ron Wyden, D-Ore., asking the Federal Communications Commission (FCC) to investigate the wireless carriers that allow law enforcement to have “unrestricted access to the location data” of their customers after a former Missouri sheriff was indicted for, among other things, tracking the cell phones of numerous persons, including some state troopers, without the benefit of a court order.

The issues prompted wireless carriers like Verizon to review their location aggregator programs and terminate existing location data sharing agreements with third-party brokers.

Many of the “flaws are simple to find and fix. That’s not the issue,” said Kothari. “The issue is that there will always be open vulnerabilities, misconfigurations, and missing updates that attackers can exploit. You cannot fix them all.”

It’s inevitable that attackers will penetrate networks, given increasing numbers and an escalating volume of persistent attacks,” he said. 

“Best practices today position safekeeping of your data, at all times, in a pseudonymized form,” Kothari said. “This makes it an order of magnitude harder for the attackers to acquire useful information which they can exploit from within your on-premise networks or your cloud services.”

GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.