GovPayNow Leak of 14M+ Records The All Time Low in Processing

GovPayNow.com, a payment processing firm that accepts US State and local government billing payments are currently in the hot seat, as an estimated 14 million of their customers’ records have been stolen. The records involved in the data breach include full names, address, phone numbers, and the last four digits of the customer’s credit card. GovPayNow.com has been the primary payment processing company covering payments for fines and penalties incurred by a US citizen.

“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” said GovPayNet’s representative. The company has further defended itself from the negative perception of the public, in their defensive posturing the company emphasized: “The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”

Brian Krebs, a security expert of Krebsonsecurity.com has exposed that six years worth of personally identifiable data is now in the hands of third parties, and the poor victims are now in serious risk of identity theft. The data breach window started from 2012 until the last weekend, a very long time from the standpoint of security experts, not compared to an average data breach case.

This is not the first time that GovPayNet has been involved in a cybersecurity issue, in May 2018, their subsidiary Securus Technologies was involved with unauthorized real-time location tracking of mobile phone users in North America. Securus Technologies was also a victim of a data breach, where online credentials of law enforcement officials were stolen. These online credentials have capabilities to track the location of crime suspects via their mobile phones.

Critical infrastructure protection creates a new set of problems for national security. Different actors are involved. The focus is on civilian and commercial systems and services. Military force is less important. The scope of these new problems depends on how we define national security and how we set thresholds for acceptable damage. From a legal or public safety perspective, no country will accept even a single attack on the infrastructure or interruption of services.

If the goal is to prevent cyber-attacks from costing a single day of electric power or water service, we have set a very high standard for security. However, from a strategic military perspective, attacks that do not degrade national capabilities are not significant. From this perspective, if a cyber-attack does not cause damage that rises above the threshold of the routine disruptions that every economy experiences, it does not pose an immediate or significant risk to national security.