14
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
A payments processor used by local governments to collect court fines and utility bill payments from residents across Arkansas and Oklahoma mistakenly left exposed on its website a cache of data, representing years of transactions.Security researcher Ashot Oganesyan found a cache of database files in a public and unprotected web directory on the website of payment processor nCourt, which runs the two payment sites courtpay.org and utilitypay.org.
The directory contained backup database files storing at least three years& worth of transactions up to and including November 2019.The directory was left exposed for at least five months, according to data from BinaryEdge, which scans the internet for exposed systems and databases.Oganesyan reported the exposure to the payments processor, and the open directory was closed on Monday.But TechCrunch learned Tuesday that the database files have been posted to a widely known hacking forum.
Although we did not download the data from the forum, the posting — which was published prior to this article — listed the correct number of records in each database, suggesting the posting is genuine.TechCrunch reviewed the exposed databases and found 79,000 transaction records on courtpay.org, and 64,000 records for utilitypay.org.
We verified the data by cross-referencing names and addresses against public records.Both sets of databases contained a payee name, postal address, email address and phone number.
Each record also contained the payment card type, the first and last four-digits of the payee card number and the card expiry date.Some records also contained dates of birth, and partial bank account numbers when a checking account was used.Although the payment data was partially masked, none of the data was encrypted, despite a claim on nCourt website that &all tracked data, including account number and expiration date, is obscured so that the data cannot be decrypted without the corresponding decryption keys.When reached, nCourt chief information officer Terry Chism said the company was &aggressively gathering facts& about the security lapse, which he said affected a &legacy& system called GovPSA.Upon learning the legacy GovPSA data may have been accessed, we moved the data offline,& he said.
&We have also engaged a third-party forensic investigation firm which is currently conducting a forensic investigation to verify the scope and impact of this suspected data security incident on the legacy GovPSA data and how it occurred.
If we confirm that a breach has occurred, we will evaluate the legal notification obligations to individuals whose personal information may be impacted and will notify all affected persons and regulators consistent with our legal obligations to do so.But that leaves its customers — largely local governments and municipalities — in the dark.
One of nCourt customers, a city in Arkansas with a population of about 30,000, told TechCrunch that they have not yet been informed of a security lapse.Chism declined to comment further, or answer our questions — including why the data was not encrypted.Hackers have planted credit card stealing malware on local government payment sites
