PayPad Leak Reveals Sensitive Financial Data Including 2.6 Million Nigerian Credit Card Transactions

Written by Bill Toulas
Last updated October 28, 2019

Researcher Jeremiah Fowler has discovered two massive databases that were not password protected, one in last February and one on October 17, 2019. As explained by the researcher today, both databases belong to the Nigerian electronic payment company named "CashEnvoy," the owner of the PayPad brand. CashEnvoy enables its clients to carry out debit and credit card payments, supporting Visa and Mastercard payments, and offers the convenience of electronic wallets, mobile point-of-sale solutions (mPOS), and superior customer support. Unfortunately, all of this has now gone down the drain as they have spilled the sensitive data of many of their customers. To make matters even worse, they managed to do so twice in the period of a few months.

exposed database

Source: Security Discovery

The first database that was discovered in February contained CashEnvoy wallet data. More specifically, it publicly exposed over 8 million files containing the names and account information of the wallet holders, the associated merchant files, names and contacts in plain text, and administrator credentials. Moreover, everything could be edited by a visitor without requiring higher permissions to do so. The second discovery that came in October features another instance that was also publicly accessible and editable without limitations. That one contained 2.6 million records of transaction data with the card numbers given in plain text form. IP addresses, ports, pathways, and any information required for deeper network penetration were also publicly available.

Jeremiah Fowler did try to inform PayPad of the breaches, but he hasn’t heard back from them to this day. It is unclear if the company sent any breach notices to its customers last time, or if they are planning to send any now. Nigeria has a strict data protection regulation that was introduced in 2019, and which is heavily inspired by the EU’s GDPR. According to that regulation, if a data breach exposes more than 10,000 individuals, the organization responsible will receive a fine that corresponds to 2% of its annual gross revenue, or 10 million Naira (whichever is greater). If the number of exposed individuals is smaller than 10,000, the fine gets dropped down to 1% of the annual gross revenue or 2 million Naira ($5,500). Of course, for all this to happen, the authorities will have to be informed of these incidents, and this is an entirely separate matter.

Have something to comment on the above? Feel free to do so in the dedicated section beneath, or join the discussion on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: