Paay Misconfiguration Leaves Transaction Data Exposed
The New York-based credit-card processor left a server without password protection for approximately three weeks.
Paay, a New York-based card payment processor, failed to enable a password on a server storing personal information related to some 2.5 million consumer transactions. The server was open to the Internet for approximately three weeks before being pulled offline once Paay was notified of the open server.
According to TechCrunch, the records contained the full plaintext credit card number, expiry date, amount spent, and a partially masked copy of each credit card number. No consumer names or CVCC numbers were in the records. Paay's CEO says the configuration error came in a transition between servers.
"Unfortunately, Paay's misconfiguration is quite common and we've grown used to seeing these data exposures pop up in headlines every couple of weeks," says Chris DeRamus, CTO and co-founder of DivvyCloud. "The friction you hear about between security professionals and developers generally stems from a reliance on runtime security which, in turn, makes it more likely that developers will try to circumvent security altogether, leading to, you guessed it, more misconfigurations."
Read more here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024