On Tuesday, security researcher Brian Krebs announced an issue with a service offered by Government Payment Service Inc. called GovPayNow. This service is used by U.S. state and local governments across 35 states, and it looks like it exposed 14 million customer records online.
Whose records did they have, and what records were exposed?
Government bodies use the GovPayNow service to handle payments related to law enforcement agencies, courts, corrections facilities, departments of revenue, restitution payments, payment of traffic and criminal fines, property taxes, and more.
According to Brian Krebs, the breach included names, addresses, phone numbers and the last four digits of the payer’s credit card. This data was exposed going back six years. How? The company failed to secure them, which left them open for anyone to access.
Has the breach been addressed?
The company confirmed the issue identified by the research. It said in a statement that “GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients.” It added that it has “no indication that any improperly accessed information was used to harm any customer.”
The long-term impacts of security oversights
This is a good example of how a small security oversight might jeopardize software and leave millions of end users exposed, while making way for future, more sophisticated phishing attacks. Although personally identifiable information (PII) such as name, address, phone number and last four digits of a credit card can be damaging, end users are typically protected by their credit card companies for any fraudulent charges that might occur due to a given data breach.
The larger, and more long-term threat, occurs when hackers use the stolen information breach to reach out to individuals and ask them to either verify their purchase or reenter their information to confirm a purchase. This method may allow them to gain a more complete set of PII data from the end user, which can then be used in more sophisticated activities such as opening new credit cards, mortgages, or even file false tax returns in their name. This type of attack could lead to major credit issues or accounts that the end user doesn’t even know about, unless they are lucky enough to have credit monitoring in place.
Key takeaways from this breach
This breach, and others like it, continue to occur nearly every day because software security is very difficult to implement correctly. The GovPayNow breach was a direct result of an application doing exactly what it was supposed to in terms of intended functionality but also functioning in unanticipated ways. Organizations must implement multiple security checks in the application to verify that the correct information is displayed to the correct user – and nothing more.
Build security into your SDLC to protect data security.