Security & Fraud

Payments Processor nCourt Left Years Of Data Exposed

Data from court and utility payments in Arkansas and Oklahoma was left unsecured

Payments processor nCourt, used by Arkansas and Oklahoma to collect court and utility fees, has apparently left years of user data unsecured, according to a report by TechCrunch.

nCourt runs two court payment sites in the aforementioned states: courtpay.org and utilitypay.org.

This oversight was discovered by a security researcher, Ashot Oganesyan, who found a host of database files in an unsecured location on the web directory for nCourt. The data comprised at least three years of payments up to November 2019. As of Tuesday (April 7), the data had been posted in a widely-known hacking forum and, according to analysts, seemed to be correct.

The data included 79,000 transaction records for courtpay.org and 64,000 records for utilitypay.org. The data included payees’ names, email addresses, phone numbers, payment card types, the first and last four digits of the card number, and the card’s expiration date. Some records included dates of birth for payees and partial bank account numbers if a checking account had been used to pay.

The data had been sitting there at least five months, exposed, according to information from BinaryEdge, which looks for cases of exposed data all over the internet.

Terry Chism, nCourt’s chief information officer, said the company was “aggressively gathering facts” about the mistake. He said the security breach had primarily affected a legacy system called GovPSA, and that, if needed, nCourt would contact anyone whose data might have been exposed, after a full investigation was done.

Chism didn’t say how the data had been left unsecured in the first place.

That isn’t much consolation for one nCourt customer, an Arkansas town with a population of around 30,000, which said it hadn’t been informed of any security lapse yet.

As the world moves further into its new digital era, developers have begun looking at ways to advance digital identities toward harder-to-hack measures like biometrics, requiring more authentication than the traditional email or sign-up methods.

