Millions of Credit Card Numbers Exposed by New York Payment Startup - Binary Defense

Threat Watch

Threat Watch Millions of Credit Card Numbers Exposed by New York Payment Startup

Millions of Credit Card Numbers Exposed by New York Payment Startup

Paay, a New York-based payment processor exposed a large number of credit card data through an unprotected server. The server, which contained nearly 2.5 million transaction records, stayed online for around three weeks. Tech Crunch analyzed a few of the transaction’s records and discovered that anyone could have viewed full plaintext credit card numbers, expiration dates, and the amount spent. Fortunately, cardholder names were not available, which makes it more difficult to be able to use the other information for fraud. Yitz Mendlowitz, co-founder of Paay said, “On April 3, we spun up a new instance on a service we are currently in the process of deprecating.” He also denies that Tech Crunch found credit card numbers as he says they do not store them. Paay has begun informing between 15-20 merchants that the data was exposed.

ANALYST NOTES

Companies that handle any sensitive data should perform regular audits to ensure that the data is not exposed on servers or stored without encryption. Many security incidents have been the result of misconfigured servers that allow access without a password. Access to servers should be protected using Multi-Factor Authentication (MFA) and monitored for unexpected login events or other signs of attacker behaviors. While the data has been since been removed, it is possible that any number of criminals accessed the data while it was online. Credit reports should be continuously monitored for suspicious activity. If any suspicious activity is noticed, cardholders should report it to the FDIC and their credit issuing company as soon as possible.

Source: https://techcrunch.com/2020/04/22/paay-unencrypted-credit-card-data/

Companies that handle any sensitive data should perform regular audits to ensure that the data is not exposed on servers or stored without encryption. Many security incidents have been the result of misconfigured servers that allow access without a password. Access to servers should be protected using Multi-Factor Authentication (MFA) and monitored for unexpected login events or other signs of attacker behaviors. While the data has been since been removed, it is possible that any number of criminals accessed the data while it was online. Credit reports should be continuously monitored for suspicious activity. If any suspicious activity is noticed, cardholders should report it to the FDIC and their credit issuing company as soon as possible.

Source: https://techcrunch.com/2020/04/22/paay-unencrypted-credit-card-data/

Companies that handle any sensitive data should perform regular audits to ensure that the data is not exposed on servers or stored without encryption. Many security incidents have been the result of misconfigured servers that allow access without a password. Access to servers should be protected using Multi-Factor Authentication (MFA) and monitored for unexpected login events or other signs of attacker behaviors. While the data has been since been removed, it is possible that any number of criminals accessed the data while it was online. Credit reports should be continuously monitored for suspicious activity. If any suspicious activity is noticed, cardholders should report it to the FDIC and their credit issuing company as soon as possible.

Source: https://techcrunch.com/2020/04/22/paay-unencrypted-credit-card-data/

https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers