GovPayNow payment portal may have exposed over 14 million customer records

Names, addresses, and financial data were reportedly compromised due to lax security practices.
Written by Charlie Osborne, Contributing Writer

A company which manages online payments for US government agencies and states has become central to a security incident leading to the potential exposure of 14 million records.

According to security expert Brian Krebs, Government Payment Service Inc., which operates as GovPayNet and runs the domain GovPayNow.com, has leaked at least six years' worth of customer data.

Krebs said in a blog post on Monday that the exposed information includes names, addresses, phone numbers, and the last four digits of credit cards submitted through online payment systems.

In total, over 14 million customer records are believed to have been compromised.

The company, based in Indianapolis, is used to process payments on behalf of government agencies.

Government bodies that contract the service can use the financial gateway to handle payments related to law enforcement agencies, courts, corrections facilities, departments of revenue, restitution payments, payment of traffic and criminal fines, property taxes, and more.

See also: Apple iOS 12 security update tackles Safari spoofing, data leaks, kernel memory flaws

Visa, MasterCard, American Express and Discover cards are accepted by the gateway. Once a payment is made, online receipts are issued to customers.

The security researcher says that potentially as far back as 2012 until the weekend, it was possible to view any customer record simply by tampering with digits displayed by the receipt in the portal's web address.

TechRepublic: Why 31% of data breaches lead to employees getting fired

GovPayNet has remained relatively tight-lipped about the incident. After Krebs notified the company of the exposure, two days later, the firm said the "potential issue" had been addressed.

"GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients," the company said in a statement. "The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction."

"Additionally, most information in the receipts is a matter of public record that may be accessed through other means," GovPayNet added.

CNET: Equifax's data breach by the numbers: The full breakdown

Earlier this month UK airline British Airways said the carrier was investigating a data breach which may have exposed 380,000 payment card records belonging to customers.

The personal and financial details of customers who made bookings between August 21 and September 5 may have also been stolen due to a security compromise of the BA website.

ZDNet has reached out to GovPayNet and will update if we hear back.

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards