Paay apparently forgot to put password protections on the server, allowing anyone to access the data inside. Specifically, the housed data contains plaintext credit card numbers, expiration dates, the amount spent and partially masked copies of each credit card number – cardholder names, Card Verification Value numbers (CVVs) were not included.
To address the issue, Paay is informing between 15 and 20 merchants of the issue. Furthermore, the company is working with a forensic auditor to recognise the scale of the problem, as FinTech Global reports.
This type of issue follows a pattern and risk exposure, where consumer personal data represents the number one target (representing 97 percent of breaches, according to Forge Rock).
Commenting on the data breach, Chris DeRamus, CTO and co-founder, DivvyCloud notes: “According to Paay’s CEO, they spun up and subsequently misconfigured an instance leaving their database of 2.5 million card transaction records exposed to the public without a password.”
He also notes that such issues are not uncommon with a steady rise in data exposures being recorded. The issue that he identifies as most significant is with companies not being proactive to protecting data; instead there are too many responses that are simply reactions to data violations.