INSUBCONTINENT EXCLUSIVE:
A payments processor used by local governments to collect court fines and utility bill payments from residents across Arkansas and Oklahoma
mistakenly left exposed on its website a cache of data, representing years of transactions.
Security researcher Ashot Oganesyan found a
cache of database files in a public and unprotected web directory on the website of payment processor nCourt, which runs the two payment
sites courtpay.org and utilitypay.org
The directory contained backup database files storing at least three years& worth of transactions up to and including November 2019.
The
directory was left exposed for at least five months, according to data from BinaryEdge, which scans the internet for exposed systems and
databases.
Oganesyan reported the exposure to the payments processor, and the open directory was closed on Monday.
But TechCrunch learned
Tuesday that the database files have been posted to a widely known hacking forum
Although we did not download the data from the forum, the posting — which was published prior to this article — listed the correct
number of records in each database, suggesting the posting is genuine.
TechCrunch reviewed the exposed databases and found 79,000
transaction records on courtpay.org, and 64,000 records for utilitypay.org
We verified the data by cross-referencing names and addresses against public records.
Both sets of databases contained a payee name, postal
address, email address and phone number
Each record also contained the payment card type, the first and last four-digits of the payee card number and the card expiry date.
Some
records also contained dates of birth, and partial bank account numbers when a checking account was used.
Although the payment data was
partially masked, none of the data was encrypted, despite a claim on nCourt website that &all tracked data, including account number and
expiration date, is obscured so that the data cannot be decrypted without the corresponding decryption keys.&
When reached, nCourt chief
information officer Terry Chism said the company was &aggressively gathering facts& about the security lapse, which he said affected a
&legacy& system called GovPSA.
&Upon learning the legacy GovPSA data may have been accessed, we moved the data offline,& he said
&We have also engaged a third-party forensic investigation firm which is currently conducting a forensic investigation to verify the scope
and impact of this suspected data security incident on the legacy GovPSA data and how it occurred
If we confirm that a breach has occurred, we will evaluate the legal notification obligations to individuals whose personal information may
be impacted and will notify all affected persons and regulators consistent with our legal obligations to do so.&
But that leaves its
customers — largely local governments and municipalities — in the dark
One of nCourt customers, a city in Arkansas with a population of about 30,000, told TechCrunch that they have not yet been informed of a
security lapse.
Chism declined to comment further, or answer our questions — including why the data was not encrypted.
Hackers have
planted credit card stealing malware on local government payment sites
