The trove of sensitive data belonging to California-based Cornerstone Payment Systems was left exposed on a misconfigured server without any security authentication.
In a recent find, security researcher Jeremiah Fowler and the Website Planet research team discovered an open and unprotected database that contained 9,098,506 records of credit card transactions.
What’s worse, the trove of personal and financial was left exposed on a misconfigured server without any password or security authentication.
The owner of the database was identified as Cornerstone Payment Systems, a credit card processing company based in California. Upon being informed, they took swift action to restrict public access the very same day, thanking the researchers for reporting the exposure.
Cybercrimes related to credit and financial data are especially dangerous because access to data such as partial credit card numbers, account or transaction information, names, contacts, and donation comments allow threat actors to establish a target profile.
These criminals are then able to launch highly targeted phishing campaigns or social engineering attacks. It is estimated that 98% of cyber attacks involve some form of social engineering.
The Exposed Data
In this data leak, the Personally Identifiable Information (PII) included merchants, users, and customer names, partial credit card numbers, type of card, expiration date, physical addresses, and email addresses, security or access tokens, phone numbers, and more.
Furthermore, information regarding the transaction was also included such as donation details, recurring payments, and comments. The donation details had the dollar amount and what the donation was for such as payments for goods or services, and any other transaction.
Additionally, electronic check payment data included bank names and check numbers. The notes also had authorization tokens and if the payment was declined, or accepted, and reasons for the decision.
Cybercriminals would be able to use such information to reach out to customers while pretending to be legitimate merchants or organizations. This sensitive information warrants that criminals can build a relationship of trust with their victims to obtain additional payment information or a Social Security Number (SSN) or other information for nefarious purposes.
Moreover, according to Website Planet’s blog post, since many of the transactions in this database were made for donations or recurring payments to religious organizations, charity campaigns, or nonprofit groups, the criminals could target victims based on their beliefs or the causes that they support.
Many of the transaction comments the researchers saw were for religious, pro-life/anti-abortion, anti-COVID mandates, and other conservative or religious causes. It is not uncommon for hacktivists to take a vigilante stance and attack targeted individuals.
Therefore, it is essential for organizations that collect and store PII to use encryption and take other security measures to protect their sensitive data online. It is also just as necessary for the potentially affected individuals to be notified and advised to practice extra caution in all their online interactions.