Recently I discovered a non-password protected database that contained 9,098,506 records and Personally Identifiable Information (PII). This data contained credit card processing information that included merchant names, payee names, partial credit card numbers, expiration date, email address, security or access tokens, and more. Upon further research there were references to California based Cornerstone Payment Systems.
Credit and financial data is highly sensitive due to the fact that nearly all cybercrime is financially motivated. If criminals had partial credit card numbers, account or transaction information, names, contacts, and donation comments, they could hypothetically establish a profile on those individuals based on their religious affiliation or causes they are passionate about. These criminals could then launch a highly targeted phishing campaign or social engineering attack. It is estimated that 98% of cyber attacks involve some form of social engineering. This publicly exposed dataset could have been a potential goldmine to cybercriminals to work from.
What the Database Contained:
- Total Number of Records Exposed: 9,098,506
- Folder named “Transactions” : Internal transaction log records that included merchants, users, and customer names, physical addresses and email addresses, phone numbers, and much more. This data could be considered Personally Identifiable Information (PII).
- In a random sample of 10,000 records we searched for common email accounts inside the data. The results were as follows: 3,641 Gmail addresses, 1,194 Yahoo addresses, and small numbers of MSN, Comcast, and other providers or private email servers.
Jeremiah Fowler
View More PostsJeremiah Fowler: Director of Security Research, Communications Specialist, Journalist and Cofounder at SecurityDiscovery.com. I care about data protection, privacy, cyber security issues, and responsible disclosure. Contact me: j(at)securitydiscovery.com Twitter: @Yoda69
