Privacy fears as popular US government payment site leaks customers' records, including names, addresses and credit card information. A popular government payment site used by thousands of local governments has leaked the data of more than 14 million users, a new report has found.
Security investigator KrebsOnSecurity discovered that Government Payment Service Inc, or GovPayNet, was using outdated security practices that allowed anyone to easily access a customer's receipt data for anything from bill payments to traffic tickets.
As a result, it would potentially expose a user's name, address, phone number and the last four digits of their credit card number. After a user pays for a bill on the GovPayNet website, they're directed to a confirmation page for each transaction, which includes a unique string of numbers at the end of the URL.
KrebsOnSecurity found that users could simply type in different receipt numbers in the web address to view other people's bills. Researcher Brian Krebs tipped GovPayNet off to the issue. Two days after the issue was brought to its attention, the company issued a statement.
'GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized receipts,' the company told KrebsOnSecurity.
GovPayNet added that it has 'no indication that any improperly accessed information was used to harm any customer.' The firm has since updated its system to make sure that 'only authorized users' can view their online receipts.
However, security experts said that while the receipts may not include information that could be used by hackers for financial transactions, the flaw still presented a significant risk to users' privacy.
The flaw exposed receipts from customers dating as far back as 2012, KrebsOnSecurity noted. What's more, GovPayNet says it 'handles more than 2.1 million payments annually to more than 2,600 agencies in 36 states reaching more than 26 percent of all US counties,' according to its site.
'These are basic web application coding practices that I've seen since the early 2000's and should not happen,' Terry Ray, CTO of cyber security software provider Imperva, said in a statement to Mail Online.
Another security expert said the leak presents ‘high risk' to affected individuals' privacy. 'There is the potential for identity theft, fraud and even of cloning, depending on the full scale of the type of information leaked,' Lillian Tsang, Senior Data Protection and Consultant at Falanx Group, a cyber-defense and intelligence services company, said in a statement to Mail Online.
'The mastery held by hackers and the “trades” in personal information in the murky underworld is limitless.' GovPayNet was acquired by telecommunications firm Securus Technologies in January.
Securus, which provides call services to prisons, came under fire earlier this year after it was found to be abusing its cellphone-tracking capabilities, by keeping track of people suspected to have committed a crime. Then, just a few weeks later, KrebsOnSecurity found that anyone could reset the password of a Securus user by guessing the answer to their pre-selected security questions.
As a result, hackers broke into its systems and stole credentials for several law enforcement officials.
US government payment site leaks 14 million customer records.