EXECUTIVE SUMMARY:

At least 14 million customer records over the span of six or more years have been exposed on GovPayNow.com, the website of Government Payment Service Inc., KrebsOnSecurity reports.

The leaked data included names, addresses, phone numbers, and the last four digits of individuals’ credit card numbers.

GovPayNow.com processes online payments by citizens for government-related fines or fees for about 2,300 government agencies in 35 states. When payments are made, the site serves up an online receipt, which shows a specific web address.

Krebs writes, “It was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.” In other words, if the receipt was Receipt-XYZ-123.GovPayNow.com (something I just made up), by changing the URL to Receipt-XYZ-134.GovPayNow.com, one would be able to call up a different customer record.

The issue behind the data leak resembles similar problems we have spotlighted with LifeLock and Fiserv. Sequentially numbering customer records makes it far too easy for bad actors to take action.

Adding salt to this wound, Krebs reports that the business behind GovPayNow.com was bought by Securus earlier this year. That parent company, which provides digital communications services to inmates and helps monitor released prisoners, has a reputation for being lax in the security department.

As Krebs explains, “Data exposures like these are some of the most common but easily preventable forms of information leaks online.” He adds that these leaks could be avoided on e-commerce sites just by not using easily-guessed or sequential record numbers, and/or encrypting unique portions of the URL that customers see.

Get the full story at KrebsOnSecurity.