Popular local government online payment system exposed 14 million records

GovPayNow, which is used by agencies in 35 states, left six years' worth of receipts online and viewable through a simple workaround.

Government Payment Service Inc., an online payments provider that serves more than 2,300 local government agencies across the country has exposed at least 14 million records of customers’ names, addresses, phone numbers and partial credit card numbers, according to a report Monday night.

The cybersecurity blog Krebs on Security reported that it recently informed Government Payment Service, which does business as GovPayNow, about a vulnerability that allowed past transactions to be viewed by changing characters in a receipt’s web address. The affected records date back to at least 2012.

GovPayNow, which is based in Indianapolis, told Krebs that it “addressed a potential issue with our online system” that left its records viewable to internet users beyond just individual customers and authorized government workers.

The discovery of GovPayNow’s data exposure could have far-reaching impacts, though. The company’s software is used by thousands of local agencies across 35 states for transactions including court-ordered fines, professional licensing fees and traffic tickets. GovPayNow told StateScoop there is no evidence that anyone attempted to access receipts in large quantities, and that it shut down its system over the weekend to address the flaw.


GovPayNow is not alone among payment providers struggling to keep users’ personal information under wraps. For more than a year, a string of local governments using a competitor, Click2Gov, have suffered data breaches each potentially affecting thousands of residents. Click2Gov’s publisher, Securion, has attributed the breaches to a vulnerability in an Oracle application server required to access the software.

In the case of GovPayNow, reports that none of the 14 million exposed records were obtained by malicious actors might simply be a stroke of luck.

“Those receipts were enumerated in order, so just changing the digits would display someone’s driver’s license number or other information,” said Jessica Ortega, a security analyst at SiteLock. “This is by all accounts a pretty easy mistake to make. But it’s a pretty well known kind of vulnerability.”

Ortega added that a hacker would need to build a “fairly sophisticated bot” to scrape a GovPayNow record, then alter the digits in the URL to move to another receipt. But that doesn’t make the data exposure any less telling about how organizations prioritize website security.

“Security tends to be an afterthought,” she said. “Website owners are not taking proactive measures. Basic vulnerability testing should have identified the enumeration of receipts as a flaw.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts