Government Payment Service Leaks Data On 14M Customers Online

Government Payment Service, the company that enables online payments for thousands of U.S. state and local governments, has inadvertently made available information on more than 14 million customers from as long as six years ago.

According to a report in KrebsOnSecurity, the data includes names, addresses, phone numbers and the last four digits of credit card numbers. The company, which does business as GovPayNet.com, serves around 2,300 government agencies across 35 states. Up until this weekend, KrebsOnSecurity reported people were able to view millions of customer records — and all it took was altering digits in the Web address that displayed receipts once you made a payment through the website.

In a letter to KrebsOnSecurity after it was alerted to the data leak, the company said it had addressed what it called a “potential issue,” saying the problem was with its online system that lets users access copies of their receipts “but did not adequately restrict access only to authorized recipients.”

The company went on to say in the statement that it has no indication the data was improperly accessed or that it was used to harm customers. What’s more, it said the receipts didn’t include information that could be used to engage in a financial transaction and that the information in the receipts is a “matter of public record that may be accessed through other means.” In what it went on to say was an abundance of caution, it has updated the system to ensure only authorized users can view receipts. “We will continue to evaluate security and access to all systems and customer records,” the company said in the statement to KrebsOnSecurity.

The report noted that data leaks like this one are among one of the more easily preventable forms of leaks over the Internet. In the case of GovPayNet, KrebsOnSecurity said, it was “trivial to enumerate how many records were exposed because each record was sequential.” To avoid this, the report noted eCommerce sites can use something other than sequential record numbers and/or by encrypting unique portions of the URL that is displayed when a customer pays online.