Government Website Vulnerability Exposes Over 14 Million Customers

Government Website Vulnerability Exposes Over 14 Million Customer Records

U.S. government payment site had poor security measures risking data leaks as far back as 2012

A website used by thousands of local governments in the U.S. to accept online payments has been found to contain a security vulnerability which put over 14 million customers at risk of having their data accessed.

GovPayNet, run by the company Government Payment Service Inc., processes customer payments for everything from tax payments and licensing fees to court-ordered fines and restitution payments. A very simple vulnerability caused at least 6 years of customer receipts to be made available to anyone with the keyboard savvy to change a few numbers in the URL bar of a browser. stresses that customers are now safe, and stated there was “no indication that any improperly accessed information was used to harm any customer.” The systems have been updated to close the security gap since the vulnerability was made public by KrebsOnSecurity, a security investigation website.

Web security experts found the vulnerability exasperating. Terry Ray, CTO of the cybersecurity firm Imperva, said security loopholes like this should have been closed over a decade ago.

“I don’t know where the break-down in the process was for, but something definitely didn’t happen as it should,” Ray said. “Web site usage or attacks of this type, whichever you prefer to call the situation, are avoidable.”

Chris Olson, CEO of The Media Trust, explained that these vulnerabilities are even more dangerous when found on government websites.

“Hackers target government websites for three reasons,” Olson said. “First they draw thousands, if not millions, of users who enter sensitive, personally identifiable information in order to access services or make payments. Second, they are often poorly defended as a result of limited budgets and the preponderance of legacy systems, machines, and software. Third, their digital third parties also often have inadequate security measures and practices.”

Government Payment Services Inc was acquired by Securus Technologies early in 2018. The Texas-based telecommunications company has already come under fire this year for lax security, when hackers stole the credentials of law enforcement officers off its system, in May.

KrebsOnSecurity noted that, as cybersecurity experts stated above, closing these gaps is remarkably simple.

About the Author

Jordan Lutke is an intern with 1105 Media.

  • Approaching the Education Market with Milestone Approaching the Education Market with Milestone

    Milestone’s Laurie Dickson addresses Open Architecture, new equipment and the cost of entry and upgrading VMS systems over time. She also talks about how K-12 and Higher Education campuses differ in regard to surveillance system needs. Schools have certain guidelines they must follow to protect student identities, and Laurie addresses this question as well.

Digital Edition

  • Security Today Magazine - January February 2022

    January / February 2022


    • A Power User
    • The Benefits of Transformation
    • Cloud Storage Training
    • Popular Access Control
    • Where Solar and Security Meet

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety