A payments provider for paying court fines and utility bills exposed years of transactions

NelsonG · April 7, 2020

A payments processor used by local governments to collect court fines and utility bill payments from residents across Arkansas and Oklahoma mistakenly left exposed on its website a cache of data, representing years of transactions.

Security researcher Ashot Oganesyan found a cache of database files in a public and unprotected web directory on the website of payment processor nCourt, which runs the two payment sites courtpay.org and utilitypay.org. The directory contained backup database files storing at least three years’ worth of transactions up to and including November 2019.

The directory was left exposed for at least five months, according to data from BinaryEdge, which scans the internet for exposed systems and databases.

Oganesyan reported the exposure to the payments processor, and the open directory was closed on Monday.

But TechCrunch learned Tuesday that the database files have been posted to a widely known hacking forum. Although we did not download the data from the forum, the posting — which was published prior to this article — listed the correct number of records in each database, suggesting the posting is genuine.

TechCrunch reviewed the exposed databases and found 79,000 transaction records on courtpay.org, and 64,000 records for utilitypay.org. We verified the data by cross-referencing names and addresses against public records.

Both sets of databases contained a payee’s name, postal address, email address and phone number. Each record also contained the payment card type, the first and last four-digits of the payee’s card number and the card’s expiry date.

Some records also contained dates of birth, and partial bank account numbers when a checking account was used.

Although the payment data was partially masked, none of the data was encrypted, despite a claim on nCourt’s website that “all tracked data, including account number and expiration date, is obscured so that the data cannot be decrypted without the corresponding decryption keys.”

When reached, nCourt’s chief information officer Terry Chism said the company was “aggressively gathering facts” about the security lapse, which he said affected a “legacy” system called GovPSA.

“Upon learning the legacy GovPSA data may have been accessed, we moved the data offline,” he said. “We have also engaged a third-party forensic investigation firm which is currently conducting a forensic investigation to verify the scope and impact of this suspected data security incident on the legacy GovPSA data and how it occurred. If we confirm that a breach has occurred, we will evaluate the legal notification obligations to individuals whose personal information may be impacted and will notify all affected persons and regulators consistent with our legal obligations to do so.”

But that leaves its customers — largely local governments and municipalities — in the dark. One of nCourt’s customers, a city in Arkansas with a population of about 30,000, told TechCrunch that they have not yet been informed of a security lapse.

Chism declined to comment further, or answer our questions — including why the data was not encrypted.