Security researcher Jeremiah Fowler together with the Website Planet research team discovered an open and non-password protected database that contained 9,098,506 records and Personally Identifiable Information (PII). This data contained credit card processing information that included merchant names, payee names, partial credit card numbers, expiration date, email address, security or access tokens, and more. Many of the transactions we saw were for donations or recurring payments to religious organizations, charity campaigns, or nonprofit groups. In some cases donors marked as “anonymous” in the database were identified in the records by their names and email addresses in clear text, along with comments about their donation.
Upon further research there were references to California based Cornerstone Payment Systems. Once we identified the owner of the dataset we immediately sent a responsible disclosure notice and public access was restricted the same day. Cornerstone acted fast and professionally and thanked us for identifying and reporting the exposure. According to their website; Cornerstone West Inc. is a registered independent sales organization (ISO) of Deutsche Bank, USA, New York, NY. Cornerstone provides merchant processing for businesses and groups that align with their beliefs and ideology according to their website.
A statement on their website reads “As a part of our commitment we will not process credit card transactions for morally objectionable businesses”.
Credit and financial data is highly sensitive due to the fact that a vast majority of cybercrime is financially motivated. If criminals had partial credit card numbers, account or transaction information, names, contacts, and donation comments, they could hypothetically establish a profile on those individuals based on their religious affiliation or causes they are passionate about. These criminals could then launch a highly targeted phishing campaign or social engineering attack. It is estimated that 98% of cyber attacks involve some form of social engineering.
This publicly exposed dataset could have been a potential goldmine to cybercriminals to work from.
What the Database Contained:
Total Number of Records Exposed: 9,098,506
Folder named “Transactions” : Internal transaction log records that included merchants, users, and customer names, physical addresses and email addresses, phone numbers, and much more. This data could be considered Personally Identifiable Information (PII).
In a random sample of 10,000 records we searched for common email accounts inside the data. The results were as follows: 3,641 Gmail addresses, 1,194 Yahoo addresses, and small numbers of MSN, Comcast, and other providers or private email servers.
These individuals or merchants could potentially be targeted for spam or social engineering scams. We have validated in a limited sampling that these appear to be real individuals and active contacts.
The records exposed partial card numbers, type of card, valid dates, donation details, recurring payments, and comments. The donation details included the dollar amount and what the donation was for such as donation, payments for goods or services and basically any other transaction. Electronic check payment data included bank names and check numbers. The notes also included authorization tokens and if the payment was declined, or accepted, and reasons for the decision.
The records also exposed the identities of “anonymous” donors and comments indicating their views and beliefs that individual donors may not have wanted publicly exposed or put them in additional privacy risks.
What is the Risk of a Credit Card Processing Data Leak?
According to the US Federal Reserve, in 2021 an estimated 76% of purchases were made with credit or debit cards. In many instances when shopping or making a donation online, a credit card is the primary or only payment option available. Payment card processors receive data from a large number of retailers and organizations, making any data exposure of card processing systems a much bigger risk than a data leak involving an individual retailer.
Credit card processing involves transmitting sensitive credit cardholder information to validate transactions during the approval or denial process. The credit industry has strict data security compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS). The basic concept of PCI requirements is to create standard security protocols for companies who process, collect, store or transmit credit card data. Although individual states have data protection laws that protect consumer data, the U.S. government does not enforce the PCI compliance standards. These are instead regulated by the Payment Card Industry Security Standards Council, an independent entity formed in 2006 by the major credit card companies (American Express, Discover, JCB, MasterCard, and Visa). Non-compliance with PCI compliance standards may potentially lead to an organization facing fines from payment processors, the severity of which is dependent on the size of the organization and the duration / scope of the non-compliance.
Phishing and Social Engineering
One potential risk would be criminals reaching out to customers and pretending to be a legitimate merchant or organization. The criminals would have all of the insider knowledge to build a relationship of trust with their victims to obtain additional payment information or a Social Security Number (SSN) or other data that could be used for nefarious purposes. For example the criminal calls and says “I see you donated $500 back in March to support XYZ cause and we need you to validate the credit card ending in 1234”. The victim would have no reason to doubt this was a legitimate call based on the fact that only the group they donated to or the merchant they purchased from would know this information.
Many of the transaction comments we saw were for religious, pro-life / anti-abortion, anti-COVID mandates, and other conservative or religious causes. In the current climate of division, another potential risk would be the targeting of individuals listed in the exposed records based on beliefs or causes that they support. Hacktivists have taken a vigilante stance in the past and coordinated attacks are within the realm of possibilities. For example, in November 2022, Russian hackers stole customer data from Australia’s largest health insurer Medibank and released abortion records online after the insurer refused to pay a $10 million dollar ransom. It is likely not a coincidence that these specific records were targeted by cybercriminals and exploited for attempted financial gain. In June 2022, the hacking collective SiegedSec launched attacks targeting US state agencies with anti-abortion stances. The group released hacked government data and claimed there would be more cyberattacks on on ‘Pro-Life Entities’.
We reviewed a limited sample of records and validated that the names and emails matched those of what appeared to be real individuals and organizations. As security researchers, for ethical reasons, we never download or extract the data we discover and only take a limited number of screenshots that are redacted to document the findings. As such, it is unclear how many total customers were affected in the data incident. Recurring payments could have multiple transactions using the same user’s data and card information. As an example, if one user or merchant made automatic monthly payments over several years, these would result in multiple records with the same user’s payment data. However, the payment or transaction ID and token data would be different.
Our goal is data protection and cyber security awareness. We publish our findings for educational purposes and to raise awareness of data incidents. We imply no wrongdoing by Cornerstone or any of their merchants, or affiliates or that any customer data was ever at risk. The presentation of material throughout this article does not imply the expression of any opinion whatsoever on our part concerning the legal ramifications of data incidents highlighted. Statistics and factual data and other information in this article are from sources our researchers believe to be reliable, but we note that errors may occur and information may become out of date.
Data is very important, especially when large numbers of real people are potentially exposed. Companies and organizations who collect store and process data have an obligation to notify potentially affected individuals. We highly recommend that organizations that collect and store PII or other sensitive data online use encryption and other security measures to ensure the protection of such data in the event the data is accidentally leaked or exposed.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.