[BreachExchange] 2.5M credit card records belonging to transaction firm PAAY exposed online

[Destry Winant]

https://siliconangle.com/2020/04/22/2-5m-credit-card-records-belonging-transaction-firm-paay-exposed-online/

A database with 2.5 million credit card transactions belonging to New
York mobile payments solutions provider PAAY LLC has been found
exposed online.

Discovered and revealed today by security researcher Anurag Sen, the
database included credit card numbers, expiration dates and amount
spent dating back to Sept. 1. The database did not include cardholder
name or card verification values, somewhat limiting the usefulness of
the data to hackers.

The data is said to have been exposed online for at least three weeks
until it was taken offline after TechCrunch contacted the company.
PAAY admitted that a database belonging to it had been accidentally
exposed but disputed the claim that the database included credit card
numbers.

“On April 3, we spun up a new instance on a service we are currently
in the process of deprecating,” PAAY co-founder Yitz Mendlowitz said.
“An error was made that left that database exposed without a
password.”

Although not confirmed, it would appear to be yet another case of a
company failing to properly secure a cloud-hosted database. The list
of companies who have exposed data in this way is extraordinarily
long, although cases have dropped off in 2020 as security awareness
around the issue continues to improve.

“PAAY offers a service as a third-party middleman between two banks by
providing an additional security layer for the transactions but
unfortunately leaves all records exposed without passwords and
vulnerable to attacks,” Robert Prigge, chief executive officer of
identity verifications solutions company Jumio Corp., told
SiliconANGLE. “It’s important for banks of all sizes only rely on
vendors and third parties that are PCI-compliant and come equipped
with the necessary security and certifications to keep customers
protected.”

Passwords in general can no longer be trusted to keep sensitive data
safe in today’s fraud environment, Prigge said.

“The timing of this breach also couldn’t be worse for victims as
storefronts are closed amid the global health pandemic and more
purchases are made online,” he said. “Impacted users are at greater
risk for cybercriminals using exposed credentials to make fraudulent
purchases.”

Instead of passwords, he added, artificial intelligence is the key.
“Coupled with facial authentication using a person’s unique biological
characteristics to confirm identity, AI ensures a cardholder is who
they say they are when making an online purchase,” he said.