A little-known payment processing company describes itself as a “Christian-friendly company” that “does not handle credit card transactions for ethically repugnant businesses,” according to techCrunch, amedia outlet. Recently, however, a database of customer payments for years was exposed online. Since 2013, the database has contained 6.7 million records and is updated daily. But the database is not password protected, so anyone can view it.
Security researcher Anurag Sen found the database. TechCrunch identified its owner as Cornerstone Payments Systems, which provides payment processing to U.S. ministries, nonprofits and other ethically compliant businesses, including churches, religious radio celebrities, and groups that help people. Payment processing companies process credit and debit card transactions on behalf of businesses.
A review of a portion of the database showed that each record contained the payee’s name, email address, and, in many cases, but not all, the postal address. Each record also contains the name of the merchant to pay, the type of card, the last four digits of the card number, and their expiration date.
The data also contains specific transaction dates and times. Each record also indicates whether the payment was successful or rejected. Some records also contain notes from customers that typically describe the purpose of the payment, such as a donation or memorial.
Although there is some evidence of tagging (a way to replace sensitive information with unique letter and number strings), the database itself is not encrypted.
TechCrunch uses a number of email addresses to reach many affected customers. Two people who find names and transactions in the database confirm that their information is correct.
After TechCrunch contacted Cornerstone, the company went down to the database. Tony Adamo, a spokesman for the company, said: “Cornerstone Payment Systems has ensured access to all servers.
“It is critical that Cornerstone Payments Systems do not store complete credit card data or check data. We have taken enhanced security measures to lock all URLs. We are currently reviewing all logs for any potential access,” he added.
Cornerstone did not disclose whether it notified state regulators of the security breach, which is required by California’s data breach notification law.