GovPayNow Data Leak

It has been reported by Krebs that Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card. IT security experts commented below.

Pravin Kothari, CEO at CipherCloud:

“Recently acquired by Securus Technologies, a Carrollton, Texas-based company, GovPayNet is a major provider of credit and debit card payments to government agencies. They process millions of payments annually to over 2,600 agencies across the United States. This past month their website GovPayNow.com exposed what has been described as at least 14 million customer receipts dating back to 2012. Securus has had other issues with cybersecurity over the past few years including the misuse of a service that tracked convicted felons’ cellphones, hackers penetrating this same system and subsequently stealing logins and legitimate credentials, and finally another flaw in May that allowed unauthorized access to accounts by guessing answers to the security questions.”

“All in all, many of these flaws are simple to find and fix. That’s not the issue. The issue is that there will always be open vulnerabilities, misconfigurations, and missing updates that attackers can exploit. You cannot fix them all. With increasing numbers and an escalating volume of persistent attacks, at some point attackers will get into your network. It is really unavoidable. Best practices today position safekeeping of your data, at all times, in a pseudonymized form. This might be achieved using technologies such as encryption and tokenization. If end-to-end encryption is used then the data would be well protected all of the time – in use, at rest (in the database), and in transit (middleware, network, API, etc.). This makes it an order of magnitude harder for the attackers to acquire useful information which they can exploit from within your on-premise networks or your cloud services.”

Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:

“Compared to other breaches this year, this one is fairly minor considering that no passwords were compromised and only partial credit card numbers were disclosed.

“Online payment providers, especially those doing business with the government, should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them. To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories.”

Javvad Malik, Security Advocate at AlienVault:

“The type of vulnerability, where attackers can sequentially change the URL to see other customers data is a trivial vulnerability that should be picked up during the application testing phase, or via third party penetration testing. It also appears as if the company didn’t have monitoring and threat detection controls in place that could have picked up if many accounts were being sequentially accessed.”