A payments processor used by local governments to collect court fines and utility bill payments from residents across Arkansas and Oklahoma mistakenly left exposed on its website a cache of data, representing years of transactions.
Security researcher Ashot Oganesyan found a cache of database files in a public and unprotected web directory on the website of payment processor nCourt, which runs the two payment sites courtpay.org and utilitypay.org. The directory contained backup database files storing at least three years’ worth of transactions up to and including November 2019.
The directory was left exposed for at least five months, according to data from BinaryEdge, which scans the internet for exposed systems and databases.
Oganesyan reported the exposure to the payments processor, and the open directory was closed on Monday.
But TechCrunch learned Tuesday that the database files have been posted to a widely known hacking forum. Although we did not download the data from the forum, the posting — which was published prior to this article — listed the correct number of records in each database, suggesting the posting is genuine.
TechCrunch reviewed the exposed databases and found 79,000 transaction records on courtpay.org, and 64,000 records for utilitypay.org. We verified the data by cross-referencing names and addresses against public records.
Both sets of databases contained a payee’s name, postal address, email address and phone number. Each record also contained the payment card type, the first and last four-digits of the payee’s card number and the card’s expiry date.
Some records also contained dates of birth, and partial bank account numbers when a checking account was used.
Although the payment data was partially masked, the data was not encrypted.
When reached, nCourt’s chief information officer Terry Chism said the company was “aggressively gathering facts” about the security lapse.
Chism said the affected data was collected under a “legacy” system called GovPSA, some of whose data nCourt acquired. nCourt says that data collected via its own nCourt system was not affected, and that its own policies are to use encryption “to protect the cardholder data at the start of every transaction.”
Upon learning the legacy GovPSA data may have been accessed, we moved the data offline,” he said. “We have also engaged a third-party forensic investigation firm which is currently conducting a forensic investigation to verify the scope and impact of this suspected data security incident on the legacy GovPSA data and how it occurred. If we confirm that a breach has occurred, we will evaluate the legal notification obligations to individuals whose personal information may be impacted and will notify all affected persons and regulators consistent with our legal obligations to do so.”
Updated with additional context and clarified the original source of the data.