GovPayNow leak exposes 14 million records dating back six years

A government payment processing company -- GovPayNet -- leaked more than 14 million customer records, including names, addresses, phone numbers and partial credit card numbers.

A GovPayNet site -- GovPayNow -- handles online payments for more than 2,600 state and local government agencies across 36 states and had a feature that allowed customers to view payment receipts online as well. However, a security issue allowed anyone to view those receipts by changing certain numbers in a receipt URL. Because of this issue, the GovPayNow leak could have exposed at least 14 million customer records dating back to 2012.

In a statement to Brian Krebs -- who first reported the GovPayNow leak -- the company downplayed the severity of the exposed data.

"The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means," GovPayNet said. "Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records."

Securus Technologies acquired GovPayNet in January 2018, and the GovPayNow leak is another case of privacy issues around a Securus service.

In 2015, Securus Technologies, a U.S. prison phone service provider based in Carrollton, Texas, leaked 70 million call records placed by inmates, including links to download call recordings. Also, in May 2018, Securus was found to be providing law enforcement with real-time mobile phone location data. And after that news broke, Securus was hacked, exposing usernames, email addresses, phone numbers and passwords for the company's law enforcement customers.

Josh Mayfield, director of security strategy at Absolute Software Corporation, a cybersecurity company based in Austin, Texas, was skeptical about the company's response to the GovPayNow leak.

GovPayNet issued a statement saying that there isn't any evidence of unauthorized access ... except, when you consider how the vulnerability was discovered.

"True, GovPayNet issued a statement saying that there isn't any evidence of unauthorized access ... except, when you consider how the vulnerability was discovered," Mayfield wrote via email. "The very act of changing the URL to display receipts that are not yours is itself unauthorized access. Furthermore, if I know your name, address, phone number, and the service or charge for which you have a receipt, I have enormous detail about you personally. I may not use this data to set up fake accounts or steal your identity, but I don't need to. I have those details locked away in another data set I retrieved from the dark web."

Nishant Kaushik, CTO of Uniken, a cybersecurity company headquartered in New York, said the GovPayNow leak was yet "another reason to stop relying on personal information as part of your security processes."

"While it may be technically true that the receipts 'do not contain information that can be used to initiate a financial transaction,' the most common usage of this kind of leaked data is to take over access to online accounts, either through the call center or through password reset processes, and then use the taken over account to commit financial fraud," Kaushik wrote via email. "Organizations need to switch to more secure omnichannel authentication mechanisms that do not rely on PII to mitigate the threat of data breaches."

Terry Ray, CTO of Imperva, noted the GovPayNow website "has a PCI DSS stamp" indicating that the service completed at least one PCI audit. 

"These audits are supposed to verify that companies taking and storing credit card information perform routine code and vulnerability reviews on their applications. This particular problem would not likely have presented as a vulnerability in most cases, but should have presented under poor coding practices," Ray wrote via email. "Website usage or attacks of this type, whichever you prefer to call the situation, are avoidable whether it be through rewriting the code or the more common use of modern web application firewalls that validate cookies and prevent input injections and URL tampering."

Jake Olcott, vice president of strategic partnerships at BitSight Technologies, a security rating company based in Cambridge, Mass., said government agencies across the country "must address cyber risks to their vendors."

"Agencies rely on hundreds, if not thousands of vendors -- like GovPayNow -- to provide critical services, maintain sensitive citizen data, and perform key functions," Olcott wrote via email. "While agencies are spending significant amounts of money protecting themselves, they often fail to ask even the most basic cybersecurity questions of their vendors. The bad guys know this and are now shifting their attacks to the supply chain."