GovPayNet accidentally leaked over 14 million customer records that date back to 2012

• The US Government-partnered payment solutions provider leaked customer information dating back to 2012.
• GovePayNet is reportedly used by multiple US government agencies for the payment of court fines, cash bails, traffics violations and tax payments.

GovPayNet, a solution-oriented payment processing service provider, inadvertently leaked over 14 million customer records. The service is used by multiple U.S state and local governments for the payment of court fines and costs, cash bails, traffic violations, real estate and property tax payments.

The compromised information consists of customer records that date back to 2012. The data exposed includes names, addresses, phone numbers and the last four digits of credit card numbers. The breach was uncovered by security journalist Brian Krebs who notified GovPayNet in September 14. Within two days, GovPayNet addressed the issue.

“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients," GovePayNet said in a statement, KrebsOnSecurity reported.

Breach caused by website bug

According to Krebs, a vulnerability on the GovPayNet website allowed attackers to view customer records by simply altering digits in the web address. These digits are available on every receipt generated as a payment acknowledgment for customers.

It is still unclear whether the hackers misused the stolen data.

“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction.” GovPayNet said. "Out of an abundance of caution and to maximize security for users, the company has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records."

Such data exposure incident have quickly become one of the most common forms of information leaks. GovPayNet’s parent company “Securus” had also suffered a data breach in May 2018. As reported in Motherboard, cyber criminals broke into Securus systems to steal online credentials of multiple law enforcement officials.

This alarming trend of accidental data breaches highlights how organizations are continually falling short of implementing basic security practices.