It’s been reported this morning that a payment website – Government Payment Service Inc.- used to process US government payments for traffic citations, court-ordered fines, bail payments and more has leaked more than 14 million customer records. The leak included names, addresses. phone numbers and sections of the credit card number used. IT security experts commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
James Hadley, CEO & Founder at Immersive Labs:
Lillian Tsang, Senior Data Protection and Consultant at Falanx Group:
“If we put it into context against the GDPR, the breach has resulted in a high risk to the rights and freedom of individuals. There is the potential for identity theft, fraud and even of cloning, depending on the full scale of the type of information leaked. The mastery held by hackers and the “trades” in personal information in the murky underworld is limitless.
Although the data has been leaked – this in itself is somewhere in the murky lands of it being potentially exchanged, manipulated and cloned. This part cannot be controlled. However, what can be controlled is the frequency of periodic reviews of systems and controls. GovPayNet acknowledges, “it did not adequately restrict access to authorised recipients”. This could have been picked up during a Data Protection By Design and Default approach or the use of DPIAs, particular for projects such as an online portal in this instance where the velocity and volume of personal data is incredibly high. Even where Data Protection by Design and Default has not been mandated in a country – its equivalent or standard risk assessments used in industry or specific sectors would be a good start for product and service development that processes personal data.
Whether there has been a leak of login details – naturally customers should be advised to change logins and passwords with advice on the strength of passwords. “Cat” as a password may not cut it. “Cat2Twinkles6Liberty$” may. Reciprocal approach – entities serves customers. Customers get informed as well. Banks and relevant institutions ought to be notified. Several communications should be used, as opposed to a single contact channel and not part of a by-line with marketing material and general newsletters. Direct emails and SMS are good examples. Banners on corporate website and advertisement in print media may also be an avenue to explore.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.