Wednesday, September 19

GovPayNow Leaks 14M+ Records

Posted by Association of Vermont Credit Unions on 11:51 AM

Labels: , , , , , ,

As reported by KrebsonSecurity, a new data breach involving over 14 million consumer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card has been leaked.  the data breach occurred at Government Payment Service Inc. . . . used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines.

GovPayNet, doing business online as GovPayNow.com, serves approximately 2,300 government agencies in 35 states. GovPayNow.com displays an online receipt when consumers use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

In January of this year GovPayNet was acquired by Securus Technologies, a Texas-based company providing telecommunications services to prisons and helps law enforcement personnel keep tabs on mobile devices used by former inmates.  Securus does not have a great track record in securing data:
  • In May 2018, Securus’ service for tracking the cell phones of convicted felons was reported as being abused by law enforcement agencies to track the real-time location of mobile devices used by people who had only been suspected of committing a crime. Reportedly, authorities could use the service to track the real-time location of nearly any mobile phone in North America.
  • A short while later, it was reported that hackers had broken into Securus’ systems and stolen the online credentials for multiple law enforcement officials who used the company’s systems to track the location of suspects via their mobile phone number.
  • Another KrebsonSecurity story in May explained how Securus’ site reportedly allowed anyone to reset the password of an authorized Securus user simply by guessing the answer to one of three pre-selected security questions including:
    • What is your pet name?
    • What is your favorite color?, and
    • What town were you born in?
In other data breach incidents of 2018 . . . 
  • In April Panera Bread remedied a weakness that exposed millions of customer names, email and physical addresses, birthdays and partial credit card numbers.
  • In July, identity theft protection service LifeLock fixed an information disclosure flaw that exposed the email address of millions of subscribers.
  • In August, KrebsOnSecurity disclosed a similar flaw at work across hundreds of small bank websites run by Fiserv, a major provider of technology services to financial institutions.
Read the KrebonSecurity article online.

0 comments:

Post a Comment