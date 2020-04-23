Security & Fraud

Payments Startup Paay Left Credit Card Info Exposed

PPP Is Pivot Point For Digital Security Future

Paay, a startup credit card database storing millions of transactions, has been unsecured for weeks and only now closed again, according to a TechCrunch report.

The database works with other payment processors, verifying payments to make sure there is no fraud going on for outside vendors.

Paay’s mistake was not having a password installed on its server, which allowed anyone to see the data inside.

Paay Co-Founder Yitz Mendlowitz said the error had been made on April 3 while the company was updating a service, and someone had accidentally left the database without a password.

He said the company was currently mediating the situation with an outside source to see what the extent of any damage could have been. Mendlowitz said the company had told around 15 to 20 merchants about the lapse.

A security researcher, Anurag Sen, accessed the files and estimated around 2.5 million transactions were residing on the server.

According to report, the data contained a trove of information dating back to Sept. 1, 2019, showing the full plaintext credit card number, the expiration date and the amount of money spent, along with a partial showing of the credit card number. Mendlowitz said the company has no use for credit card numbers and does not store them, in spite of what reporters saw firsthand.

Peoples’ names and card verification values were not included, which made it tougher for fraud to be committed using the information.

Paay is not alone in the pool of companies that have seen security lapses even this year so far, with two U.S.-based payment sites for court and utility payments having been found to have left data unsecured in early April, and in January, a Christian service called Cornerstone Payments was found to have left millions of customer payments exposed online, according to a separate TechCrunch report.

And, more recently, the Small Business Administration may have left data for applicants for coronavirus-related loans exposed.

