Indianapolis-based GovPayNet, a private company which provides online payment services to more than 2,300 US government agencies across 35 states, leaked around 14 million records containing receipt data since 2012.
As reported by security researcher Brian Krebs, the company's website GovPayNow.com allowed anyone to access receipt data for anything from traffic citations to court-ordered fines and bail payments.
This was possible because after the payments were processed, GovPayNow.com was issuing a digital receipt to confirm the payment and displayed it within the website, with no extra security measures in place beside a different ID added to the page URL for every generated receipt.
Krebs was able to access receipt data for any customer that ever used GovPayNet's payment system by simply changing the digits in the receipt IDs, and thus being able to view full names, physical addresses, and phone numbers of the randomly accessed receipt owners, together with the last four digits of the credit card used in the transaction.
Upon finding the security issue, the researcher alerted GovPayNet of the issue and received an answer two days later confirming that the "potential issue" he found was addressed.
GovPayNet fixed the receipt system issue and promised to evaluate the rest of the GovPayNow.com services
“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction," said a GovPayNet official. "Additionally, most information in the receipts is a matter of public record that may be accessed through other means."
GovPayNow.com's admins continued their statement saying that the receipt system has been updated to allow access to receipts only to authenticated and authorized users.
GovPayNet also issued a promise saying that an evaluation of the way customer records and systems are accessed and secured on GovPayNow.com is on-going.
GovPayNet's is a subsidiary of Securus Technologies, a company which provides telecommunication services to a host of law enforcement agencies. During May 2018, a Securus suffered a data breach through which credentials for law enforcement officers were stolen by the hackers behind the attack.
Exclusive: GovPayNow/Net.com -- used by 2,300 govt agencies in 35 states to let people pay bail, fines and traffic tickets -- exposed >14M customer records, including name, address, phone and last 4 of credit card going back at least six years http://t.co/X9GvUSENVA pic.twitter.com/6yp5chtLFX — briankrebs (@briankrebs) September 17, 2018