Skip to main content

Government Payment Processor Exposes Data On Millions Of Americans

By October 3, 2018June 3rd, 2022Cybersecurity

If you use the GovPayNet portal, be advised that your personal information is currently at risk. Although at this point, there’s no indication that any hacker has made use of it.  The portal is run by Government Payment Service, and is used by many Americans to pay fines, fees and bills generated by more than two thousand different government agencies operating in 35 states.

Unfortunately, the way the website is configured, when it issues a receipt for a payment, it numbers those receipts sequentially. All a hacker would have to do would be to change the receipt number in the URL to see any previous receipts, and all of the information it contains.

When the flaw was discovered by journalist Brian Krebs, more than fourteen million old records were exposed in this manner.  He contacted Government Payment Service to inform them of the flaw, and the agency moved quickly to address the issue. They said in a formal statement that they “did not adequately restrict access to only authorized recipients.”

They went on to assure their users that there’s no indication that any data had been improperly accessed. They added that the receipts generated don’t include any information that could be used by a hacker to initiate any type of financial transaction.

Unfortunately, the reality was a bit different.  The receipts contain the names, addresses and phone numbers of the person paying the fee in question, along with the last four digits of whatever credit or debit card was used to make payment. That is more than enough information to enable a hacker to initiate a phishing attack to get the rest.

Nick Bilorgoskiy of Juniper Networks had this to say about the matter:

“Online payment providers…should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them.  To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any unnecessary files from web-accessible directories.”

It’s good advice, and here’s hoping that Government Payment Service will take it.  If you use the service, there’s nothing for you to do.  You don’t need to change your password, since it was never exposed.  Just be mindful that someone may have seen any data your receipts contain before the site was secured.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.