Security researcher Jeremiah Fowler along with Website Planet’s research team discovered a wide-open and latently exposed database that contained more than 9.1 million records, as well as Personally Identifiable Information (PII).
This data contained confidential information, such as merchant names, payee names, partial credit card numbers, expiration date, email address, security or access tokens, etc.
A particular link between a California-based dataset and Cornerstone Payment Systems was discovered subsequent to our investigation. We tested the legitimacy of the data and promptly sent a responsible disclosure notice and restricted public access as soon as the owner was identified.
Cornerstone acted quickly and professionally and thanked us for reporting the exposure. According to their website: Cornerstone West Inc. is a registered independent sales organization (ISO) of Deutsche Bank, USA, New York, NY. Cornerstone provides merchant processing for businesses that align with their beliefs and ideology.
As a part of our commitment, we will not process credit card orders for morally objectionable companies.
Criminal activity largely relies on obtaining and using credit and financial data. Criminals may use partial credit or debit card numbers, account information, transaction history, names, contact lists, and donation functionality to build profiles of people based on their religious beliefs or causes for passion.
These criminals could then launch a highly targeted phishing campaign or social engineering attack. An estimated 98 percent of cyber-attacks use social engineering.
This publicly available dataset could have been a valuable goldmine for cybercriminals.
Total Number of Records Expose-able: 9,098,506.
Folder named Payments: External transaction logs that included merchants, users, and phone numbers were used, as well as physical addresses and email addresses. These data can be considered Personally Identifiable Information (PII).
In a random sample of 10,000 records, we searched for common email addresses in the data. The search results were as follows: 3,641 Gmail accounts, 1,194 Yahoo addresses, and a limited number for MSN, Comcast, and other email accounts.
Some of these people or businesses may be targeted in phishing or similar social engineering techniques. We have investigated a limited sample and found that they are genuine people and legitimate contacts.
The records unveiled instalment card numbers, spot, periods, transaction information, and comments. The transaction info comprised the amount donated, whether it was for a donation, goods or services, or any other operation. Electronic check payment information included the merchant’s banking name and equipped check number.
Authorization tokens were included in the payment notes in case the transaction was declined, or accepted, as well as the reason for this decision.
The information also revealed the identities of anonymous donors and comments, which commenters may not have wanted public discussion or in what circumstances they themselves might have reduced their individual privacy.
A donor who wants to remain anonymous gave an example of such an arrangement. Example of what the transaction logs looked like with names, emails, and other data in plain text.
According to the U.S. Federal Reserve, an estimated 76 percent of purchases made in 2021 were made using a credit card. In many instances when spending or making donations online, a credit card is the primary or only payment options.
Payment card processors get data from suppliers of a lot of items, making the disclosure of data systems via this channel quicker than one involving services from just one particular supplier.
Credit card processing includes transmitting sensitive credit card-holder information to confirm transactions during the approval or rejection process. The credit industry has strict compliance with data security requirements such as the Payment Card Industry Data Security Standard (PCI DSS).
The basic concept of PCI regulations is to produce safety rules for companies that gather, store, process or transmit credit card data. Although the federal government does not require compliance with PCI regulations, individual branches do not enforce them.
These guidelines are instead regulated by the Payment Card Industry Security Council, an autonomous entity formed by large credit-card companies (American Express, Discover, JCB, MasterCard, and Visa) in 2006.
Failure to meet PCI compliance standards may subject a business to penalties from the card payment service providers, which may be serious depending on the size of the company and the duration of non-compliance.
Criminals could pretend to be legitimate merchants to approach and con their targets. They might have all the information they need in order to construct a trusting relationship with their victims and obtain further private information, such as credit card information or a Social Security Number (SSN).
Criminals often call and state that they see you donated $500 to XYZ cause in March and we need to validate your credit card ending in 1234. The victim would not have to question the legitimacy of the call, since they would only be associated with the charity or vendor that the victim supported or purchased from.
Many of the comments that we saw were primarily for pro social, Opposed to Pro-life, Anti-Covid 19, and other liberal or religious causes. In the current climate of contention, another hazard could be targeted at individuals mentioned in the disclosed documents based on beliefs or a key part of the person they support.
Criminals in the past have been vigilantes and coordinated attacks have been possible over the years. For example, in November 2022, hackers stole data from Australia’s largest health insurance provider Medibank and released abortion records online after the insurer refused to pay a $10 million ransom.
These records may have been subject to hacking and were just used for financial gain. In June 2022, SiegedSec targeted US government agencies with political and religious stances of Pro-Life and launched cyberattacks on their sensitive data.
It’s difficult to estimate the extent of the total financial impact of this incident. Recurring payments could have multiple transactions with the same payment data by various customers. For example, if one customer made monthly payments for several years in a row, these would result in multiple records with similar payment information.
Terraeagle’s goal is the protection of customer data. Our goal is to increase awareness of data security events through the publication of our discoveries. Cornerstone acts nobly and had no responsibility in relation to customer data.
The presentation of the material throughout this article doesn’t represent, although it may seem to the reader, any of the writer’s stance on the application of legal penalties associated with data incidents described in these pages.
The statistics, factual data, and other information in this article are believed to have been generated by reliable sources, but we acknowledge the possibility of unverifiable data becoming obsolete or discrepancies occurring.
Found this article interesting? Follow Terraeagle on Facebook, Twitter and LinkedIn to read more exclusive content we post.