GovPayNow Breach Demonstrates Long & Short Term Impacts of Security Slips

On Tuesday, security researcher Brian Krebs announced an issue with a service offered by Government Payment Service Inc. called GovPayNow. This service is used by U.S. state and local governments across 35 states, and it looks like it exposed 14 million customer records online.

Whose records did they have, and what records were exposed?

Government bodies use the GovPayNow service to handle payments related to law enforcement agencies, courts, corrections facilities, departments of revenue, restitution payments, payment of traffic and criminal fines, property taxes, and more.

According to Brian Krebs, the breach included names, addresses, phone numbers and the last four digits of the payer’s credit card. This data was exposed going back six years. How? The company failed to secure them, which left them open for anyone to access.

Has the breach been addressed?

The company confirmed the issue identified by the research. It said in a statement that “GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients.” It added that it has “no indication that any improperly accessed information was used to harm any customer.”

The long-term impacts of security oversights

This is a good example of how a small security oversight might jeopardize software and leave millions of end users exposed, while making way for future, more sophisticated phishing attacks. Although personally identifiable information (PII) such as name, address, phone number and last four digits of a credit card can be damaging, end users are typically protected by their credit card companies for any fraudulent charges that might occur due to a given data breach.

The larger, and more long-term threat, occurs when hackers use the stolen information breach to reach out to individuals and ask them to either verify their purchase or reenter their information to confirm a purchase. This method may allow them to gain a more complete set of PII data from the end user, which can then be used in more sophisticated activities such as opening new credit cards, mortgages, or even file false tax returns in their name.  This type of attack could lead to major credit issues or accounts that the end user doesn’t even know about, unless they are lucky enough to have credit monitoring in place.

Key takeaways from this breach

This breach, and others like it, continue to occur nearly every day because software security is very difficult to implement correctly. The GovPayNow breach was a direct result of an application doing exactly what it was supposed to in terms of intended functionality but also functioning in unanticipated ways.  Organizations must implement multiple security checks in the application to verify that the correct information is displayed to the correct user – and nothing more.

Build security into your SDLC to protect data security.
Learn how.


The following two tabs change content below.

Matt has over 18 years of software development, sales engineering management and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure software development life cycles utilizing static analysis.Matt’s extensive background in application security, object-oriented programming, multi-tier architecture design/implementation, and internet/intranet development has been key to many speaking engagements for organizations like OWASP, ISSA, and ISACA.

Latest posts by Matthew Rose (see all)

*** This is a Security Bloggers Network syndicated blog from Blog – Checkmarx authored by Matthew Rose. Read the original post at: