As our world becomes more advanced, hackers and unintentional vulnerabilities continue to prove that security has not kept up with technology’s relentless march forward.
The most recent company to face scrutiny is Government Payment Service Inc., also known as GovPayNet. Krebs on Security, a website focused on investigative reporting regarding security, informed the Indiana-based company it had been leaking customer information—for more than 14 million people—unintentionally for the last 6 years.
The private company is used by over 2,000 different government agencies in 35 states—although the exact agencies are not known—and is responsible for managing payments for a slew of different services such as parking tickets, bail fines, licensing fees, and more.
“Until this past weekend, it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt,” Brian Krebs, founder of Krebs on Security and a former Washington Post reporter, shared.
Before Krebs’ organization caught the vulnerability, sleuthing hackers could potentially access names, phone numbers, addresses, and even part of user’s credit card number.
A spokesperson for GovPayNet hastened to clarify that—to the company’s knowledge—nothing nefarious has been done with users’ information, and that use of the term “leak” does not quite fit the vulnerability discovered, given that there has not been a noticeable effort to access the information.
Still, the company corrected the issue quickly. In a statement provided to Krebs on Security, GovPayNet shared how it went about the fix:
“[O]ut of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”
Earlier this year, GovPayNet was acquired by telecom services company Securus Technologies. Although it has not been at the helm of GovPayNet for long, this is not the first time Securus has come up against security problem. Three separate incidents in the last year—including misuse of services by police, stolen online credentials, and a bug that allowed anyone to reset any authorized Securus user's password—have caught the attention of the security world.
Hopefully, the latest discovered oversight at GovPayNet leads to stronger security across the board.