Sunday, October 14, 2018

Texas firm processing government payments leaks millions of records

The Texas firm Government Payment Services Inc. is used by thousands of local governments to receive online payments for all sorts of things such as court-ordered fines to licencing fees.
The firm's security breach
The breach is reported by Brian Krebs who has a daily blog on security issues. Krebs reports that the firm compromised the accounts of more than 14 million customer records dating back as long ago as 2012. The report claims that the information leaked includes names, addresses, phone numbers and the last four digits of credit card numbers.
Krebs alerted the company to the the security problems on September 14th this year. Krebs found that it was possible to view millions of customer records simply by tweaking the digits in the web address that was displayed on each receipt.
Two days after being informed of the situation Government Payment Services said that it had addressed a "potential issue". It said there was no information that any improperly accessed information had been used to harm any customer but that it had updated its system so the issue could not happen again. The entire Krebs report can be found here.
Government Payment Services Inc. and Securus Technologies
Government Payment Services Inc. was bought by Securus Technologies at the start of this year. Securus Technology is described by Wikipedia as follows: "Securus Technologies is a United States-based prison technology company... It was founded in 1986 and is headquartered in Dallas, Texas with regional offices located in Carrollton, Texas, Allen, Texas and Atlanta, Georgia. The company employs approximately 1,000 people and is reported to have contracts with 2,600 correctional facilities in the United States. Securus announced in July 2016 that it had invested more than $600 million in technologies, patents and acquisitions in three years." Since its inception the company has acquired 20 government services, software-based businesses, technologies, patents and exclusive agreements.
Securus Technologies provides telecommunications services to prisons, among its other work. It has come under fire already already several times just this year for data breaches. Just last May it was found that Securus was abusing its cell phone-tracking abilities. Then just weeks later hackers breached the system and stole the online credentials of numerous law enforcement officials. The incident is reported here.
Krebs notes that it is relatively easy to fix these information disclosure leaks. He finds it remarkable that many organizations encounter these basic vulnerabilities. Companies with names such as Securus Technologies should live up to their names and be on top of their game.

Previously published in Digital Journal
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

US will bank Tik Tok unless it sells off its US operations

  US Treasury Secretary Steven Mnuchin said during a CNBC interview that the Trump administration has decided that the Chinese internet app ...