Cornerstone Payment Systems security incident involving 9 million credit card transaction records

Sicherheit (Pexels, allgemeine Nutzung)[German]Anyone who is connected to the Internet leaves traces, especially when they make payments by credit card. Security researchers have now discovered an unsecured database that was freely accessible via the Internet. This database contained 9 million credit card transaction data. The database belongs to the California-based US company Cornerstone Payment Systems.


Advertising

The security incident was discovered by security researcher Jeremiah Fowler together with the research team from Website Planet and described in this post. While searching for open databases, they came across an Internet-accessible, open, and non-password protected database that contained 9,098,506 records and personal data.

There was a folder (table) called "Transactions": this contained data with credit card processing information (internal transaction logs) with the names of merchants and payees, partial credit card numbers, credit card expiration dates, the email addresses, phone numbers, security or access tokens, and more.

This data should be considered personally identifiable information (PII). The donors or merchants could become targets of spam or social engineering scams. In a limited sample, security researchers have determined that these appear to be real people and active contacts.

Some of the records included card numbers, card types, expiration dates, donation details, recurring payments, and comments. Donation details included the dollar amount and purpose of the donation, such as donations, payments for goods or services, and basically any other transaction. Electronic check payment data included bank names and check numbers. The notes also included approval marks and whether the payment was declined or accepted and the reasons for that decision.

Many of the transactions the security researchers saw when sifting through the records involved donations or recurring payments to religious organizations, charitable campaigns, or nonprofit groups.


Advertising

In some cases, donors marked "anonymous" in the database were identified in the records by their names and email addresses in plain text, along with comments about their donation. According to security researchers, the records not only revealed the identity of "anonymous" donors. The comments also made it possible to find out the donors' views and beliefs – information that the individual donors may not have wanted to be publicly known – because they were exposing themselves to additional privacy risk.

In a random sample of 10,000 records, the security researchers looked for common email accounts within the data. As a result, 3,641 Gmail addresses, 1,194 Yahoo addresses and a small number of MSN, Comcast and other providers or private email servers could be extracted. Details of the data found are described in this post.

Upon further investigation, evidence of the California-based company Cornerstone Payment Systems was found. The security researchers contacted this company, who then restricted public access to the database on the same day.

Cornerstone West Inc. is a registered independent sales organization (ISO) of Deutsche Bank, USA, New York, NY, according to the Planet website. Cornerstone is one of the nation's leading Christian-owned independent sales organizations in the trade processing industry. The service provider offers transaction processing for companies and groups that align with Cornerstone beliefs and ideologies (in the religious realm).


Advertising

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).