- Indianapolis-based payments solutions provider has leaked over 14 million customer records in a recent data leak.
- The service was used to settle both state and local government fees and fines online.
- The service is used by over 2,300 government agencies in the United States.
GovPayNet is an online payments solutions provider catering to 2,300 government agencies from 35 states in the USA. The service was responsible for the online handling of fees and fine payments that were issued by both state and local governments. An estimated 14 million unique customer receipts have been recorded on the platform that dates back to 2012.
It was possible to tweak GovPayNet receipt URLs by simply altering the digits of each receipt number, allowing anyone to get access to other people’s receipts. GovPayNet was alerted by KrebsOnSecurity about the serious flaw, and the issue has already been patched.
GovPayNet revealed in a statement “GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts but did not adequately restrict access only to authorized recipients. The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction.”
Fortunately, details of financial transactions were not leaked, and only authorized users are able to get access to individual receipts. GovPayNet’s parent company Securus does not have a great track record when it comes to security, and the company has been the victim of data leaks in the past. In May, it was reported that the organization’s location tracking service was being misused by law enforcement officials. Weeks later, hackers broke into the company’s systems and stole online credentials of various law enforcement officials who were using the service.
Data leaks are becoming quite common lately with multiple databases of user data being leaked. In many cases, they are preventable, but proper security measures are not taken which lead to these unfortunate circumstances. Stolen user data can lead to various illegal activities.