A security researcher “Jeremiah Fowler” recently disclosed that over 2.9million credit / debit card transactions have been exposed.
This is coming after a worldwide leak put over 800,000 Nigerians medical records at risk.Jeremiah wrote in his article that he had earlier found a database that belonged to Nigerian based Electronic Settlements Limited / CashEnvoy which contained over 8 million records.
“Back in February 2019 I found a database that belonged to Nigerian based Electronic Settlements Limited / CashEnvoy. The first database contained over 8 million records.”
He reached out to their representatives as a means of responsible disclosure and “they acted fast to protect the data of their users and close public access”.
Jeremiah further said he asked them if they had notified their users, merchants or partners about the data leak but they were no longer answering his messages
“When I asked them if they had notified their users, merchants, or partners they disappeared and stopped answering our messages. We did not publish our discovery at that time as a professional courtesy and because of how concerned they appeared to be before they ignored all communication and went silent”
On October 17th, they discovered another massive database of 2.59million credit / debit card transactions.This was discovered on paypad’s database
“Unfortunately, the discovery of a 2nd massive database of 2.59 million credit / debit card transactions on October 17th shows that they did not take data protection seriously, notify their users, or fully restrict outside access to highly sensitive payment data. This is the dilemma we often face with raising awareness with our discoveries.”
What was discovered
The first database discovered in February 2019 had 8million + files with names and account, wallet transaction information.It also includes merchant files, names and contacts which were in plain text, admin credentials.There were a total of 11 open databases and data can be edited or deleted with no admin permissions
The second transaction database discovered in October 2019 had 2.59 Million records of transaction data with card numbers in plain text,IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network and it is open and visible in any browser(publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
“The first database I discovered in Feb. 2019 was the CashEnvoy wallet data and the second discovery in Oct. 2019 appeared to be PayPad’s credit and debit card transactions. This is one of the largest collections of credit card numbers I have ever seen and the worst part was that only a small portion of the actual number was encrypted.” Electronic Settlements Limited is a parent company of cash envoy and paypad where database have been leaked.
Jeremiah said “Our goal is to help not harm, but when an organization hides a data leak they do a disservice to their customers and partners”
According to security discovery,
“It is unclear if Electronic Settlements Limited has notified the authorities or the affected users. No reply was given to the data exposure notification or request for comment at the time of publication.”