Government Website Vulnerability Exposes Over 14 Million Customers

Government Website Vulnerability Exposes Over 14 Million Customer Records

U.S. government payment site GovPayNow.com had poor security measures risking data leaks as far back as 2012

A website used by thousands of local governments in the U.S. to accept online payments has been found to contain a security vulnerability which put over 14 million customers at risk of having their data accessed.

GovPayNet, run by the company Government Payment Service Inc., processes customer payments for everything from tax payments and licensing fees to court-ordered fines and restitution payments. A very simple vulnerability caused at least 6 years of customer receipts to be made available to anyone with the keyboard savvy to change a few numbers in the URL bar of a browser.

GovPayNow.com stresses that customers are now safe, and stated there was “no indication that any improperly accessed information was used to harm any customer.” The systems have been updated to close the security gap since the vulnerability was made public by KrebsOnSecurity, a security investigation website.

Web security experts found the vulnerability exasperating. Terry Ray, CTO of the cybersecurity firm Imperva, said security loopholes like this should have been closed over a decade ago.

“I don’t know where the break-down in the process was for Govpaynow.com, but something definitely didn’t happen as it should,” Ray said. “Web site usage or attacks of this type, whichever you prefer to call the situation, are avoidable.”

Chris Olson, CEO of The Media Trust, explained that these vulnerabilities are even more dangerous when found on government websites.

“Hackers target government websites for three reasons,” Olson said. “First they draw thousands, if not millions, of users who enter sensitive, personally identifiable information in order to access services or make payments. Second, they are often poorly defended as a result of limited budgets and the preponderance of legacy systems, machines, and software. Third, their digital third parties also often have inadequate security measures and practices.”

Government Payment Services Inc was acquired by Securus Technologies early in 2018. The Texas-based telecommunications company has already come under fire this year for lax security, when hackers stole the credentials of law enforcement officers off its system, in May.

KrebsOnSecurity noted that, as cybersecurity experts stated above, closing these gaps is remarkably simple.

About the Author

Jordan Lutke is an intern with 1105 Media.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Security Today Magazine - October 2018

    October 2018

    Featuring:

    • Streamlined for Success
    • Making Your Expertise Unique
    • An Eye on the Campus
    • Solving Problems
    • Enhancing Security

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety