Indianapolis-based GovPayNet serves approximately 2,300 government agencies in 35 states and it is used by thousands of US state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines. Thus, more than 14 million customer records were leaked, exposing personal info such as names, addresses, phone numbers and the last four digits of the payer’s credit card.
Millions of customer records could be viewed simply by altering digits in the Web address displayed by each receipt, before the flaw was revealed. On Friday, September 14, KrebsOnSecurity alerted GovPayNet that its site was exposing customer receipts. Two days later, the company said it had addressed “a potential issue” and released an official statement.
According to the document, there is no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now