Another payment portal breach-Here we go again: GovPayNow.com
Third party vendors have historically been the Achilles heel of the business world for years. The examples of this abound through the news feeds over the last seven years. The first, huge compromise based on this is the Target breach occurring proximate to the holidays, allowed by trusting explicitly a third party vendor. This vendor, a heating/cooling vendor, allowed their compromised system to deliver the malware to Target and make its way to the PoS system, and exfiltrate a mass amount of data, in the form of the Target customer’s credit card information.
While this was a rather large and eye-catching sized compromise, a recent breach approaches the relevant magnitude of this type of a mistake.
GovPayNow.com is a service used by government agencies to process payments. These payments were for law enforcement agencies, courts, correction facilities, departments of revenue, restitution payment, criminal fines, property taxes, and more. The company is based in Indianapolis, IN. This is a vital service for the government entity’s clients.
Unfortunately for the service and government agencies using the service, and their clients who used this, the service was compromised. Krebs on Security notified them on September 14, 2018. To make matters worse, the exfiltrated data was for approximately over 14M records or six years of data. This included the client’s name, address, phone number, and last four digits of the credit card number. The last four of the credit card number isn’t as critical as the rest of the data.
Two days post-notification by Krebs on Security, the service stated they had addressed “a potential issue”. It seems odd that a downplayed security issue (singular) would allow for this breach, fix any log records indicating who was there, and scrubbing any other data indicating who did this. The published accounts don’t indicate the attack vector. This have could been from a number of different sources using a myriad of unique tools and combination of these. This simply could be an aggressive phishing campaign.
Krebs, B. (2018, September 17). GovPayNow.com leaks 14m+ records. Retrieved from https://krebsonsecurity.com/category/data-breaches/ and https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records
Osborne, C. (2018, September 18). GovPayNow payment portal may have exposed over 14 million customer records. Retrieved from https://www.zdnet.com/article/govpaynow-data-breach-leaks-over-14-million-customer-records/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.