Online payment solution provider GoPayNet serving 2300 government agencies in the US has experienced a data leak of 14 million unique customer receipts, dating back to the year 2012.
GoPayNet is an online portal which is responsible for financial payments of fees and fines issued by state and local government of US.
What was the vulnerability?
After the reports came out, it was stated that the website’s receipt URLs were left vulnerable and can be compromised by simply changing the digits of each receipt number. The vulnerability was capable of allowing anyone to get access to millions of customer records. The company also confirmed that there was no manifestation that any improperly accessed information was used for any malicious intent.
Moreover, the receipts do not contain information that can be used to initiate any kind of financial transaction. The exposed data, in fact, included the names, addresses, phone numbers and the last four digits of card numbers.
Data leaks and breaches around this quarter
There already has been around 864 data breaches reported in the U.S. this year. If we look back to the last 30 days, telecom giant T-Mobile experienced a data breach affecting more than 2 million customers. British Airways experienced a website hack affecting 380,000 travelers. Also, this month marks the anniversary of the Equifax mega breach, wherein the Social Security numbers of 145.5 million consumers were exposed!
So, it is possible to say that your personal data might have been involved in at least one of the above major data breaches. In fact, according to a survey, 1 in 3 victims of a data breach later experiences identity fraud.
What are the security measures companies must adopt?
Data leaks are becoming quite a common scenario with multiple databases of user data being leaked. In most of the cases, they are preventable, but proper security measures are not taken which leads to unfortunate circumstances.
Some of the recommended security measures are:
1. Using encryption or randomizing any record numbers, receipt numbers etc.
2. Denying the ability to read permissions for any sensitive data files for anonymous web visitors.
3. Having robust web application security by performing periodic penetration testing.
4. Securing the three most important pillars of cyber security, i.e. People, Process and Technology.
Exposure of any type of customer data in the public environment is an issue. Organizations should have a plan to continuously assess the sustainability of their security controls the same way the attackers are doing.
