Online privacy is an important issue, with customers relying on companies to protect personal data that is being shared with them. Recently, however, several instances of some such firms proving to be too casual with user data have been observed. Last month, an incident of millions of sensitive user records being easily viewable online for several days was discovered - apparently owing to a "technical mistake". Then, earlier today, we reported on online retailer Newegg's customers' credit card information possibly being stolen.
Now, information has emerged regarding the leakage of over 14 million sensitive records of customers of U.S. company Government Payment Service which conducts its business through the website govpaynow.com. According to the report, the compromised data dates back to 2012.
The Indianapolis-based firm is responsible for processing online payments for a variety of issues including court-ordered fines, bail payments, and more, through its service GovPayNet. The website via which all this business is conducted displays online receipts to citizens who have made any such payments. However, according to investigative reporter Brian Krebs, 'private' data of customers was easily accessible to anyone until a few days ago by simply changing digits in the web address belonging to each receipt.
As per the report, the data compromised included over 14 million records, ranging from names and addresses of customers to phone numbers and the last four digits of their credit cards. GovPayNet was alerted about the significant data leakage on September 14, and it issued the following response a couple of days later:
GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients. The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.
Interestingly, GovPayNet was acquired earlier this year by Texas-based company Securus Technologies. The prison technology company does not maintain the cleanest of records when it comes to protecting data, having been accused of providing law enforcement agencies a service to identify people's locations without the issuance of a court order.
The records were especially easy to gain access to because they were sequentially ordered. So theoretically, just changing a single digit in the payment receipt URL in a way that logically made sense would have provided access to another user's sensitive data. Just to clarify, this isn't a deliberate leakage on the company's part, rather a failure to spot a significant issue leading to compromise of sensitive user data.
As noted by Krebs, avoiding private information exposure such as in this incident is quite easy with fairly simple protection mechanisms. Encrypting portions of URLs unique to each customer payment, or even using non-sequential record numbers could easily help reduce the surprisingly common occurrence of such issues. However, many organizations opt not to invest in the aforementioned security techniques.