A popular platform for making payments to US government entities leaked over 14 million customer records through a website error before being notified, it has emerged.
Government Payment Service runs the GovPayNet portal which many Americans use to pay bills, fines, license fees and more to over 2000 government agencies in 35 states.
However, the online receipts it issued on payment were apparently sequentially numbered and by typing new digits into the address bar individuals could view other records, according to journalist Brian Krebs.
The site was notified on Friday that it had been exposing over 14m records in this way dating back to 2012.
It moved relatively quickly to address the issue over the weekend, admitting in a statement that it “did not adequately restrict access only to authorized recipients.”
“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction,” it continued.
In fact, the exposed data included names, addresses, phone numbers and the last four digits of card numbers: more than enough to theoretically use in realistic-looking follow-on phishing attacks.
The firm continued to play down the potential impact of the security snafu.
“Additionally, most information in the receipts is a matter of public record that may be accessed through other means,” it claimed. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said the leak was relatively minor but that extra care should be taken by businesses interacting with the government.
“Online payment providers … should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them,” he added. “To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories."
The parent company of GovPayNet, Securus, is no stranger to security incidents, having been successfully hacked in 2015, exposing the records of 70m prisoner phone calls. Another of its services was misused by law enforcers to track real-time location of suspects through their phones.