Popular Government Payment Solution Exposes 14M Records

Though millions of records from the last six years were accessible through a now-fixed vulnerability, company officials say there is no evidence the data is being misused.

by / September 18, 2018
Shutterstock

A popular payment portal among government agencies potentially exposed the personal information of millions of citizens. And while there’s been no confirmed exploitation of customer data, the vendor community is urging public agencies to use caution moving forward.

Krebsonsecurity.com, the news and investigations website created by former Washington Post reporter Brian Krebs, reported on Sept. 18 that it had alerted Indiana-based Government Payment Services Inc. to the inadvertent exposure of “at least 14 million customer receipts dating back to 2012.” In his coverage, Krebs characterized the situation as the leaking of “more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.”

Government Payment Service Inc., known online as GovPayNet, works with around 2,300 government agencies across 35 states handling payment for things like parking tickets and licensing, a spokesman confirmed.

“Until this past weekend, it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt,” Krebs wrote, adding that he had alerted the company to the situation on Sept. 14 and received a response two days later showing it had reacted to “a potential issue.” A company spokesman also provided the statement to Government Technology.

“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients. The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction,” the company said in the statement.

GovPayNet also indicated the majority of the information in the receipts is “a matter of public record that may be accessed through other means.” But, “out of an abundance of caution and to maximize security for users,” the company said it has updated its system, to be sure only authorized users can view individual receipts.

In an interview with GT, a spokesman for GovPayNet challenged Krebs’ characterization of the incident as a leak and stressed that the information in question appears to not have been acted upon.

“It’s a bit of a mischaracterization to refer to this as a leak, or certainly, a leak of that many records. We’ve seen no evidence so far to indicate there was an effort to access a large quantity of these receipts,” the spokesman said, noting that GovPayNet’s self-assessment is ongoing.

“There’s a universe of information that could have been accessed by someone who knew how to do it, but so far — and we’re obviously continuing to assess — so far we’ve seen no evidence there were large-scale attempts to access that information,” the spokesman added.

It remains unclear which state and local governments utilize GovPayNet’s services. 

Jessica Ortega, a website security analyst at Scottsdale, Ariz.-based SiteLock, which designs website security products to prevent and remediate malware infections, praised Krebs’ vigilance and GovPayNet’s quick action. But she acknowledged bad actors could already have obtained the information and stockpiled it before the issue was identified — noting the information in this incident is likely very similar to data disclosed in the 2017 Equifax breach, making it hard to trace the origins of any malicious activity.

“I think we’re probably OK, but it’s always a good idea for people to be vigilant whenever a breach has occurred,” Ortega said in an interview. She recommended government agencies be diligent in evaluating third-party vendors and asking questions about how data is stored and displayed on a website; and how credit card information is protected.

“You are ultimately responsible for the vendors in your supply chain, but this was a widely adapted service that was contracted. Up to this point we had no reason to suspect there was an issue, so again it just all comes back to being proactive. That proactive evaluation of data storage is so crucial in these days,” Ortega said, suggesting governments that suspect residents’ data was compromised consider contacting residents via email or placing a message on their agency website.

In a statement provided to GT, Carl Wright, CEO of AttackIQ, a San Diego, Calif.-based creator of attack simulations that test and measure an enterprise’s security posture, lamented that customer data leaks have become “commonplace,” and often caused by security issues that are “easily prevented.” He urged agencies to have a strategy in place against future events.

“Exposure of any type of customer data is an issue. Always. Every organization should have a plan to continuously assess the viability of their security controls the same way the adversary does,” said Wright, whose company works with local and federal government agencies.

Theo Douglas Staff Writer

Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor's degree in Newspaper Journalism and a Master's in History, both from California State University, Long Beach.