2.59 Million Credit Card Transactions Exposed –

Jeremiah Fowler

Jeremiah Fowler

Director of Security Research and Senior Communications Consultant

3 minutes read
2.59 Million Credit Card Transactions Exposed - Security Discovery

Two data incidents just months apart from each other. Back in February 2019 I found a database that belonged to a Nigerian based company. The first database contained over 8 million records. The  representatives replied to my responsible disclosure notice and they were very responsive. They acted fast to protect the data of their users and close public access.

Our goal is to help not harm when it comes to our responsible disclosures. According to the IBM-Ponemon Institute the larger the data breach an organization suffers once, the less likely it is that it will have another breach in the next 24 months. In theory, by not publishing my first discovery it increased the likelihood of a data exposure at the payment processing company.

“PayPad is a world class FinTech Company, and the first mPOS provider in Nigeria offering innovative and practical payment solutions to merchants” According to their website.

What was discovered:

The first database I discovered in Feb. 2019 was the CashEnvoy wallet data and the second discovery in Oct. 2019 appeared to be PayPad’s credit and debit card transactions. The numbers were partially encrypted and would have made it more difficult for cyber criminals to access the remainder of the data.

Summary the first Database discovered in Feb. 2019:

Summary of the 2nd Transaction Database Discovered Oct 2019:


All Data is Global

It does not matter if you are in New York, London, or Lagos people deserve to have their private and sensitive data protected. Technology companies even in emerging markets must do more to protect the data they collect and store on their users and partners. The processor had a wake up call and have taken actions to mitigate future risk. User data is valuable no matter where you are from or who you are and this discovery highlights the need for organizations to put a focus on data security.

On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”). The Regulation states that any entity found to be in breach of the privacy rights of any data subject will be liable, in addition to any other criminal liability, for the following:


← Back to Blog

Got your attention?

Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform. Protect your business proactively - get in touch today for personalized digital security solutions.

Business Development
Virginia, United States
Research & Development
Kyiv, Ukraine
Technical HQ
Hamburg, Germany